UNIX System Administration Handbook - Evi Nemeth [387]
Problems in the last of these categories are the easiest to find and fix, although there are potentially a lot of them and it’s not always obvious what to check for. Most of the effort that has been put into security-checking tools over the last ten years has been directed at codifying the many ways in which UNIX systems can be inadvertently left open to intruders. Programs such as COPS1
(discussed starting on page 667) help to make the auditing process rapid and automatic.
21.3 SECURITY PROBLEMS IN THE /ETC/PASSWD FILE
The contents of /etc/passwd (and on some systems, /etc/shadow) determine who can log in and what they can do once they get inside. This file is the system’s first line of defense against intruders. It must be scrupulously maintained and free of errors, security hazards, and historical baggage.
See page 76 for more information about the passwd file.
On FreeBSD systems, the /etc/passwd file is derived from /etc/master.passwd and should not be edited directly. It’s probably a good idea to check both master.passwd and passwd for security problems, however. See page 81 for more information about the master.passwd file.
Password checking and selection
It is important to continually verify (preferably daily) that every login has a password. Entries in the /etc/passwd file that describe pseudo-users such as “daemon” who own files but never log in should have a star (*) in the encrypted password field. The star will not match any password and will thus prevent use of the account.
Several specialized software packages exist to check /etc/passwd for security problems, but the command2
perl -F: -ane ’print if not $F[1];’ /etc/passwd
suffices just as well for finding null passwords. A script that performs this check and mails you the results can be run out of cron. You can add extra security by writing a script that diffs the passwd file against a version from the previous day and emails any differences to you. You can then verify that any modifications are legitimate.
/etc/passwd and /etc/group must be readable by the world but writable only by root. If your system has an /etc/shadow file, it should be neither readable nor writable by the world. The FreeBSD /etc/master.passwd file should be readable and writable only by root.
UNIX allows users to choose their own passwords, and although this is a great convenience, it leads to many security problems. When you give users their logins, you should also provide them with instructions for choosing a good password. Tell them not to use their name or initials, the name of a child or spouse, or any word that can be found in a dictionary. Passwords derived from personal data such as telephone numbers or addresses are also easily broken.
Passwords should be at least eight characters long and should include numbers, punctuation, or changes in case. Nonsense words, combinations of simple words, or the first letters of words in a memorable phrase make the best passwords. Of course, “memorable” is good but “traditional” is risky. Make up your own phrase. The comments in the section Choosing a root password on page 39 are equally applicable to user passwords.
On many systems, only the first eight characters of a password are significant. More can be entered, but characters beyond the first eight will be silently ignored. See page 78 for details.
Passwords are normally changed with the passwd command. Various replacements for the standard passwd command force users to select better passwords. We recommend a version of the venerable npasswd package maintained by Clyde Hoover at the University of Texas. It’s available from
http://www.utexas.edu/cc/unix/software/npasswd
Solaris includes a version of passwd that forces users to adhere to certain common-sense rules, like not using their login names as passwords. You can customize the rules for the construction