6

Security policies sometimes demand that root be the first entry in the /etc/passwd file. Is there a valid reason for requiring this, or is it just conventional to do so since the root account is the first one created?

I understand that some places used to use multiple accounts with the same numeric UID, which is bad practice in any regard and much worse for root. In those situations, ls(1) uses the first name it finds that matches the numeric UID, so making sure root is first would mean that all UID 0 account ownerships show up as "root" in directory listings. However, it's even more common to prohibit the creation of multiple accounts with the same UID anyway, so that doesn't make a whole lot of sense as a reason to require this.

Update: A colleague informed me that older versions of some Unix operating systems used the first entry in /etc/passwd to authenticate access to single-user mode. Modern operating systems authenticate to the root account regardless of its position in /etc/passwd and /etc/shadow. I would be interested in finding out when this change was made for the major Unix platforms; I'm told it was pre-Y2K, so likely Linux has never had this issue.

Mike McManus
  • 1,415
  • 10
  • 17
  • Simply because it is the administrative account:) –  Aug 07 '15 at 18:51
  • 3
    "Security policies sometimes demand that root be the first entry in the /etc/passwd file" <- citation needed – schroeder Aug 07 '15 at 19:07
  • @schroeder: If I had a citation I would not be asking the question. I am trying to justify an internal non-public security policy but do not have the history behind it to do so. I know this has been on external security checklists in the past but cannot find those references at the moment. – Mike McManus Aug 07 '15 at 19:36

1 Answers1

7

It has to do with the potential for early entires masking later ones:

Note that earlier entries in /etc/passwd take precedence over, or mask, later entries with the same user name or same user ID. Therefore, please note the order of the entries in the example for the daemon and sync user names (which have the same user ID). Make sure you do not alter this order in your own file.

http://uw714doc.sco.com/en/NET_nis/nisC.passwd.html

Therefore, if you can inject a user named "root" at the beginning of the /etc/passwd file, it could cause some havoc.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • OK, that's pretty much along the lines of the second paragraph in my original question. However, in the case of an attacker injecting a "root" entry at the top of the passwd file I would think making sure the legitimate root entry is at the top doesn't buy you much. – Mike McManus Aug 07 '15 at 20:20
  • 1
    I totally agree, but I'm thinking you could brick the server. That's why I said "havoc" and not "security breach". UID management is far superior to managing the order of /etc/passwd. – schroeder Aug 07 '15 at 20:25