/etc/shadow and /etc/passwd privilege - why is it writable

0

sghk1> id
uid=0(root) gid=0(root)

sghk1> ls -l /etc/shadow
-r--------   1 root     sys         4045 Aug 24 15:52 /etc/shadow

sghk1> ls -l /usr/bin/passwd
-r-sr-sr-x   1 root     sys        26764 Jan 11  2012 /usr/bin/passwd

When I try to vi edit and the file, and :wq, it prompt the below

"/etc/shadow" File is read only

Why is it that when I call /usr/bin/passwd, the file is writable/changeable by the executable , but when I try to manually edit as root, I can't

Noob

Posted 2015-08-24T08:44:03.833

Reputation: 1 145

If you really want to write, use :wq! – Cyrus – 2015-08-24T08:57:26.613

Answers

2

As root, you can do "anything", but programs such as vi will make checks to advise you. vim (which is what you probably are using) will allow you to write to a read-only file using :w! (an exclamation mark).

The passwd program is designed to update /etc/shadow, and will use whatever combination of chmod, write, etc., which is needed without bothering to advise the user.

As an ordinary user (not running as root), of course, vi(m) cannot update /etc/shadow. The /usr/bin/passwd program works because it uses the setuid feature (the "s" when you do ls -l /usr/bin/passwd).

Thomas Dickey

Posted 2015-08-24T08:44:03.833

Reputation: 6 891

does that means that the usr/bin/passwd is also somehow ignoring the fact that the /etc/shadow is read only.. my logic is that if the passwd program is using setuid to execute with root permission, then naturally root should is able to write to the file. so the reason it can't is because vi is making some checks against the file. am i right ? – Noob – 2015-08-24T17:32:32.080

The /usr/bin/passwd program can change the permissions because it runs with root privilege. – Thomas Dickey – 2015-08-24T18:50:09.137

does that mean the passwd program changes the permission of the shadow file both before and after making changes to the file ? – Noob – 2015-08-25T03:28:10.480

The source code is at http://anonscm.debian.org/cgit/pkg-shadow/shadow.git/tree/ (it goes through several steps to ensure that only one process is updating the files at any point).

– Thomas Dickey – 2015-08-25T08:38:17.073

2

The file that you have referenced (/etc/shadow) does not show the writable flag in its permissions. vi or vim by default won't write to a file that doesn't have the writable flag, even as root or as the owner of the file, unless you override its behavior with an exclamation point.

You can use :w! to write to the file, ignoring the fact that the writable flag is missing.

Deltik

Posted 2015-08-24T08:44:03.833

Reputation: 16 807

0

See the permissions you have on the file, root is the owner and the root itself has only read permission. To change it you should do "chmod u+w /etc/shadow" as root and it will give "yourself" the write permission.

tvili999

Posted 2015-08-24T08:44:03.833

Reputation: 46

Asked: 2015-08-24T08:44:03.833

Viewed: 2 178 times

Active: 2015-08-24T09:01:06.490