Permissions on shadow files

doyho

New Member
Joined
Mar 27, 2023
Messages
2
Reaction score
0
Credits
18
In CentOS 7 and Ubuntu22.04, use the ls -l command to view the permissions of the shadow file, and you get (----------) for CentOS 7, and (-rw-r-----), but the root user has read and write permissions to the file, so why are the permissions seen by using ls -l to view the shadow file different?
 


In CentOS 7 and Ubuntu22.04, use the ls -l command to view the permissions of the shadow file, and you get (----------) for CentOS 7, and (-rw-r-----), but the root user has read and write permissions to the file, so why are the permissions seen by using ls -l to view the shadow file different?
The shadow file contains sensitive information such as encrypted passwords, and therefore the default permissions for this file are set to be very restrictive, even for the root user.

In CentOS 7, the shadow file has a permission of "----------", which means no one has any permission to read, write, or execute the file. This is because in CentOS 7, the shadow file is used in combination with the SELinux security module which implements mandatory access control (MAC) policies.

In Ubuntu 22.04, the shadow file has a permission of "-rw-r-----", which means that the owner of the file (root) has read and write permissions, but all other users have no permissions to read, write or execute the file. This is the default permission setting for the shadow file in Ubuntu.

Therefore, the two different operating systems have different default permission settings for the shadow file due to differences in their security modules and policies. However, the permissions can be modified using the chmod command if necessary.

To change the permission of the shadow file in CentOS 7 to "-rw-r-----", you would run:

Code:
chmod 640 /etc/shadow

To change the permission of the shadow file in Ubuntu to "----------", you would run:

Code:
chmod 000 /etc/shadow
 
In different versions of CentOS, are the default permissions of shadow files all "----------"?
 
In different versions of CentOS, are the default permissions of shadow files all "----------"?
Yes, by default, the permission of the shadow file in CentOS is "----------" in all versions. This is because CentOS uses the SELinux security module, which implements mandatory access control (MAC) policies for system resources, including files. These policies are designed to enforce strict access controls on sensitive files and prevent unauthorized access, even by the root user.

The "----------" permission on the shadow file means that it is completely hidden and inaccessible to all users, including the root user. However, SELinux policies allow the root user with a specific set of privileges to access the shadow file.

To view the SELinux context of the shadow file, you can use the "ls -Z" command. The context will be displayed in the last column of the output. The context for the shadow file should look similar to the following:

Code:
----------. 1 root root system_u:object_r:shadow_t:s0 769 Jul 13 15:07 shadow

Here, the "shadow_t" context indicates that the file is a shadow file under the control of SELinux policies.

Remember, modifying or changing the permissions of the shadow file can cause security vulnerabilities and should not be done unless you have a good reason to do so.
 

Members online


Top