Join Log in
Score:0
Nebek avatar Server

How to create a user and give it read permission to /etc/shadow file?

in flag
Nebek

I would like to give my web server user (nginx) read access to the /etc/shadow file and I would like to confirm the steps that I am taking to do this. The system I am using is a CentOS 7.

  1. First I created a group called shadow: groupadd shadow
  2. Then I added the web server user (nginx) to the group shadow: usermod -aG shadow nginx
  3. Then I changed the owner to root and changed the file group owner to group shadow: chown root:shadow /etc/shadow
  4. Then I allowed read permissions for all users in the shadow group to read the /etc/shadow file: chmod g+r /etc/shadow

After conducting those steps I ran ls -l /etc/shadow and I see the following output

----r-----. 1 root shadow 1390 Aug 30 12:51 /etc/shadow

Are these steps that I am following correct? Please let me know, and I can provide additional information if needed.

277
2 + 0
Score:3
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

Changing an owner group of such important file could even break some things, which is dangerous.

The proper secure way to achieve that is to use POSIX ACLs:

setfacl -m u:special_user:r /etc/shadow

Another problem here is that you gave this right to Nginx, a web server. Which, I suppose, runs some web application. And it is very bad idea to have direct access to /etc/shadow from web application.

This may seem counterproductive, but this is the way all serious systems do such things: they include private secure proxy service which does all security checks and web front end only can talk to this proxy service to have some access to sensitive data or do other sensitive things. For example, this is the way Proxmox VE is built: there is pvedaemon which does dangerous things, and pveproxy (a web server) only talks to pvedaemon when it needs to do such things.

The third problem is that you access this file at all. What you intend to do? This file is a part of PAM suite. What if some system authentication is modified so it is not using a shadow file, or it is moved? You should use PAM library calls which will do all that stuff for you.

0 + 2
Nebek avatar
in flag
Nebek
Thanks Nikita. I am aware of the security concerns with the /etc/shadow file. The reason why I am letting Nginx have read access to the /etc/shadow file, is that I want to be authenticated using PAM to get into a web application that I am running. This is just to verify that I have properly integrated PAM and Nginx, further down the line I will be using BoKs.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Then there is no need to allow direct access to shadow file. The PAM exists in part for this to be unneccessary.
1
Reply
Score:0
BitGen01100000 avatar Server
vn flag
BitGen01100000

That looks like the output of

chmod g=r /etc/shadow

and not

chmod g+r /etc/shadow

aka. you seem to accidentally have used an equal sign instead of the addition sign.

Edit: I just double checked on my system and the permissions for my /etc/shadow file looks like this:

`----------. 1 root root 1183 20 Aug 11.53 /etc/shadow`

So it looks like your permissions are to be expected!

0 + 7
Nebek avatar
in flag
Nebek
Interesting, I did check my history of commands that I ran and I did use the correct one, 'chmod g+r /etc/shadow'.
0
Reply
BitGen01100000 avatar
vn flag
BitGen01100000
@Nebek Did you see my edit? :)
0
Reply
Nebek avatar
in flag
Nebek
Oh sorry, just saw it thanks!
0
Reply
djdomi avatar
za flag
djdomi
Actually, `ls -la /etc/shadow -rw-r----- 1 root shadow 1050 Aug 28 18:14 /etc/shadow` is the default on Debian
0
Reply
BitGen01100000 avatar
vn flag
BitGen01100000
@djdomi I checked this on a CentOS (Version 7.7.1908) system I had running. And I haven't made any changes to this file. So unless you changed anything, it seems to be a difference between the distros. OP did however state that he/she uses CentOS, so I would recommend him/her to use the standard configuration for that distro as a base config instead of mixing and matching between different distros. :)
0
Reply
djdomi avatar
za flag
djdomi
@BitGen01100000 it doesnt matter, its even the same idea behind, moreover he contributor can go a headwith: [this already answered question](https://unix.stackexchange.com/questions/549464/etc-shadow-permissions-security-best-practice-000-vs-600-vs-640)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.