How monitor which account try to open what ?

SpongeB0B

New Member
Joined
Feb 11, 2022
Messages
28
Reaction score
7
Credits
258
Hi everyone,

I found really odd that by default a lot of distribution set the /etc/passwd as 644. (I rather prefer 640)

I found curious that any user account can list the full list of user registered on the machine.. :oops:

If I'll set /etc/passwd as 640 is there a way to see which account try and fail to read it ?

Thanks
 


digitaltrails

Member
Joined
Dec 18, 2021
Messages
40
Reaction score
16
Credits
382
Hi everyone,

I found really odd that by default a lot of distribution set the /etc/passwd as 644. (I rather prefer 640)

I found curious that any user account can list the full list of user registered on the machine.. :oops:

If I'll set /etc/passwd as 640 is there a way to see which account try and fail to read it ?

Thanks
You have to remember the original UNIX was a fairly open/permissive time sharing system. It was intended that you should be able to lookup who you were sharing the machine with - it's not designed to to be a secret. The passwd file is used by libraries/tools that translate UID's to usernames, so it needs to be readable by everyone. Originally, the actual encrypted passwords were stored in there as well, that being safe enough at the time. Later the passwords were moved /etc/shadow, but changing the name of the passwd file was too difficult to contemplate. I suppose it should be called /etc/user to parallel /etc/group.

You could install auditd/auditctl, but any number of different process will access /etc/passwd to lookup the username associated with a UID, it's not worth worrying about.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Members online


Latest posts

Top