Privilege Escalation via Writable /etc/passwd & Shadow Abuse (Conceptual Overview)
/etc/passwd and /etc/shadow are the two most critical files for Linux user authentication. The passwd file maps usernames to user IDs (UIDs), while the shadow file stores encrypted password hashes. When these files have incorrect permissions, the entire system's authentication foundation is compromised.
π What Are /etc/passwd and /etc/shadow?
Stores user account information:
- Username
- User ID (UID)
- Group ID (GID)
- Home directory
- Login shell
Expected permission: -rw-r--r-- (644)
Owner: root
Group: root
Stores secure password information:
- Encrypted password hashes
- Password aging information
- Account expiration details
Expected permission: -rw-r----- (640) or -rw------- (600)
Owner: root
Group: shadow
π§ How Privilege Escalation Happens (High-Level)
π Writable /etc/passwd
- β A non-root user has write access to /etc/passwd
- β User adds a new entry with UID 0 (root)
- β New user authenticates with known password
- β User gains persistent root access
π Readable /etc/shadow
- β A non-root user can read /etc/shadow
- β Password hashes are extracted
- β Hashes are cracked offline
- β Plaintext passwords are recovered
βοΈ Writable /etc/shadow (Rare, Catastrophic)
- β User overwrites root hash with known password hash
- β Root password becomes attacker-controlled
π₯ Why These Misconfigurations Are Catastrophic
- β No exploit required β only file write/read capability
- β Persistent access β backdoors survive reboots
- β Complete control β attacker becomes root
- β Difficult to detect β new user may blend in
- β Immediate incident β assume breach, initiate IR
π Real-World Example (Defensive View)
A system administrator writes a backup script that modifies file permissions for maintenance. Due to a logic error, the script executes:
chmod 666 /etc/passwdThe error is not noticed during the maintenance window. Any local user can now write to /etc/passwd. A non-privileged developer adds a new root user:
echo "hacker::0:0:root:/root:/bin/bash" >> /etc/passwdThe developer now has full, persistent root access to the system.
π Detecting Permission Misconfigurations
- β Automated file integrity monitoring β AIDE, Tripwire, Osquery
- β Permission auditing β Weekly checks of critical file permissions
- β User account reviews β Unexpected UID 0 entries
- β Configuration management β Ansible/Puppet enforcing baseline permissions
π‘οΈ Preventing Passwd/Shadow Privilege Escalation
π File Permission Hardening
- β
chmod 644 /etc/passwdβ root only write - β
chmod 640 /etc/shadowβ root:shadow read - β
chown root:root /etc/passwd - β
chown root:shadow /etc/shadow
π‘οΈ System Hardening
- β File Integrity Monitoring (AIDE, Tripwire)
- β Immutable attribute:
chattr +i /etc/passwd - β Regular permission audits via cron
- β SELinux/AppArmor mandatory access controls
π§Ύ Key Takeaways
- β /etc/passwd writable = immediate root backdoor
- β /etc/shadow readable = password hash exposure
- β /etc/shadow writable = root password replacement
- β These are permission failures, not vulnerability exploits
- β Prevention requires defense in depth and monitoring
π Passwd/Shadow β Command Awareness (Defensive Auditing)
Commands used by system administrators and security auditors to verify correct permissions on authentication files. Shown for defensive awareness only.
π Permission Verification Commands
-
Check /etc/passwd permissions
Expected:ls -la /etc/passwd-rw-r--r--(644) -
Check /etc/shadow permissions
Expected:ls -la /etc/shadow-rw-r-----(640) or-rw-------(600) -
Check for world-writable passwd
Should return NO resultsfind /etc -name passwd -perm -o+w 2>/dev/null -
Check for world-readable shadow
Should return NO resultsfind /etc -name shadow -perm -o+r 2>/dev/null
π₯ User Account Auditing
-
List all users with UID 0 (root privileges)
Should only show "root". Any other user is suspicious.awk -F: '$3==0{print $1}' /etc/passwd -
Check for accounts without passwords
Empty password field = no authentication requiredawk -F: '($2=="" ){print $1}' /etc/shadow -
List all user accounts with valid shells
Identify interactive user accountsgrep -v "/nologin\|/false" /etc/passwd
π File Integrity Monitoring
-
Check file checksum (detect modifications)
Compare against known-good baselinemd5sum /etc/passwd /etc/shadow -
Set immutable attribute (prevent modification)
Even root must remove immutable flag firstchattr +i /etc/passwd /etc/shadow -
Check immutable attribute status
"i" indicates immutablelsattr /etc/passwd /etc/shadow
π‘οΈ Remediation Commands (Defensive)
-
Fix /etc/passwd permissions
sudo chmod 644 /etc/passwd sudo chown root:root /etc/passwd -
Fix /etc/shadow permissions
sudo chmod 640 /etc/shadow sudo chown root:shadow /etc/shadow -
Remove unauthorized UID 0 user
sudo userdel -r unauthorized_user
π‘οΈ Defender Takeaways
- β Audit weekly: Check permissions on /etc/passwd and /etc/shadow
- β Monitor: Alert on any modification to these files
- β Harden: Consider immutable flag on production systems
- β Verify: Only one UID 0 account should exist
