How monitor which account try to open what ?

[SpongeB0B]

Hi everyone,

I found really odd that by default a lot of distribution set the /etc/passwd as 644. (I rather prefer 640)

I found curious that any user account can list the full list of user registered on the machine..

If I'll set /etc/passwd as 640 is there a way to see which account try and fail to read it ?

Thanks

 

[KGIII]

You'd probably need to install some sort of auditing software for that.

 

[digitaltrails]

Hi everyone,

I found really odd that by default a lot of distribution set the /etc/passwd as 644. (I rather prefer 640)

I found curious that any user account can list the full list of user registered on the machine..

If I'll set /etc/passwd as 640 is there a way to see which account try and fail to read it ?

Thanks

You have to remember the original UNIX was a fairly open/permissive time sharing system. It was intended that you should be able to lookup who you were sharing the machine with - it's not designed to to be a secret. The passwd file is used by libraries/tools that translate UID's to usernames, so it needs to be readable by everyone. Originally, the actual encrypted passwords were stored in there as well, that being safe enough at the time. Later the passwords were moved /etc/shadow, but changing the name of the passwd file was too difficult to contemplate. I suppose it should be called /etc/user to parallel /etc/group.

You could install auditd/auditctl, but any number of different process will access /etc/passwd to lookup the username associated with a UID, it's not worth worrying about.