Why is everybody so concerned about etc/passwd?

Here is the content of my vagrant machine of this particular file:

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/us$

Could anybody explain me why it is bad if some evil guy could get this file of my production server?

Asked By: funguy


Key point is that Pentesters/white-hats/ethical hackers as well as black-hat target /etc/passwd as proof of concept, as a test of possibility of gaining access to a system.

Technically /etc/passwd isn’t that scary. In the past it used to store private data, passwords obviously, but as of nowadays you’d need to be more worried about /etc/shadow – most Linux systems nowadays use shadow suite of utilities to keep a hashed and salted password in /etc/shadow, which unlike /etc/passwd isn’t world-readable. (unless you use pwunconv command, which actually moves the hashed passwords back into `/etc/passwd).

The only more or less sensitive piece of info is the usernames. If you have sshd or telnet on the server and a username with weak password, there is a potential for a brute force attack.

By the way, your very same question has been asked before. Here I merely restated some of the concepts mentioned there already.

Small addition: this is a little far-fetched, but I’ve noticed that you have bash as root shell. Now, suppose you have a user on the system that has bash as their shell, even worse – that user is sudoer. Now, if you bash is outdated or unpatched, an attacker could try to exploit the Shellshock vulnerability to steal data or execute a fork-bomb bring your system down temporarily. So yes, technically /etc/passwd isn’t a big deal, but it does give an attacker an idea of some of the information on what to attempt

Additional edit, 11/18/2016

Having used an Ubuntu server on Digital Ocean for a while, it came to my attention, that most brute force attacks against my server were carried out for root user – 99% of the entries for failed password in /var/log/auth.log were for root. /etc/password, as I mentioned before, gives attacker look at the list of users, and not just system users, but human users as well, which means more potential venues for attack. Let’s remember that not all users are security conscious and don’t always create strong password, so an attacker’s bet on human error or overconfidence has quite a high probability of being jackpot.

Answered By: Sergiy Kolodyazhnyy

In order to log on to a machine, you need to know both the user name and password. /etc/passwd provides information on users, which gives you half of the information you need, and used to include a hash of your password.

A hash being something calculated from your password. It is rather easy to calculate a hash from a password, but is almost impossible to calculate the original password from a hash. If you have the hash, you can try brute force attempts to find the password offline, then only try to connect to the computer once you have found it.

Today, security is improved because the hashes are stored in a different file, /etc/shadow, which by default is not readable by most users.

However, if I had access to both /etc/passwd and /etc/shadow, I could probably find your password using a brute force "dictionary" attack. Since I can do this locally on my machine, you would not notice many failed attempts to find your password, and I would only need to connect to your machine again once I knew the password. I am then free to do whatever I want.

There is more information on Wikipedia: Passwd

Answered By: Warren Hill
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.