-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
permissions /etc/shadow #41
Comments
cc @atomic111 |
So after reading all comments I didn't find requirements to grant write permissions on this file. Everywhere told it needs owner root group shadow and at least read permission for owner. @conorsch 's issue is lack of read permission for group in case desktop manager is used. I propose to check is XDG_SESSION_DESKTOP env variable set and if so, add read perm for group. If there's no such var as XDG_SESSION_DESKTOP - just do whatever we currently do |
Two things @fitz123: I'm on Arch Linux right now, with a desktop manager and the XDG_SESSION_DESKTOP variable is empty, so this approach seems not to be the best one. Also I don't want to introduce more complexity for such an edge-case (the main use-case for these hardening-roles is on servers where no desktop manager should be installed). I'd like to follow what @atomic111 said in dev-sec/ansible-collection-hardening#86 (comment): |
default values works great for me as well. Simplest way is almost always better one =) p.s. could you please check $XDG_CURRENT_DESKTOP var for me? It's interesting to find an easy way to detect dm, at least with some probability) |
Sounds like the consensus is:
That solution would certainly work for my use case, but it seems a bit illogical from the standpoint of the role. @rndmh3ro's point that:
sounds like the sane approach in the context of this hardening role. Can anyone formulate a a compelling argument that |
The implementation in dev-sec/ansible-collection-hardening#89 preserves the current behavior of root:root 0600, but permits overriding via a dict var. That should make everyone happy. If it gets merged, this issue can be closed without action, since the tests will not need to be updated. |
The default permissions for
/etc/shadow
are:see https://help.ubuntu.com/community/FilePermissions
see https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2013-02-05/finding/RHEL-06-000035
The Deutsche Telekom security assesment process (which this hardening project loosely follows) proposes:
In my opinion we should follow the operating-system standards here.
On rhel-based systems the os-standards are even safer than the standards in this repo.
The text was updated successfully, but these errors were encountered: