About the / etc / passwd
The contents of the file / etc / passwd determines who can access the system as legitimate and you can do once inside the system. This file is the first line of defense against unwanted access. Must be kept scrupulously free of errors and security flaws. We recorded in the accounts of users, as well as the keys and access privileges.
One such line in this file:
user1: FXWUuZ.vwXttg: 500:501: User pepito / home/usuario1: / bin / bash
Different fields (7) are separated by a colon (:) and their meanings are as follows:
user1:
Account Name (Login)
FXWUuZ.vwXttg:
Encrypted password (password)
500:
UID of this account
501:
GID of the main group to which the account
pepito user:
Username
/ home/usuario1:
Working directory of user1
/ bin / bash:
Command interpreter (shell) user pepito
A series of rules to keep in mind about the contents of this file:
* The UID 0 account belongs to the administrator (root), below UID 500 is reserved for the system and over 500 UID for users of the system (Note: the border of 500 may vary depending on the system).
The GID of the core group is defined in / etc / group and this group will be the default when a user creates a file.
It goes without saying that only the system administrator has to have ID's 0 in these two fields. Otherwise mean to be giving permits administration (root) to the account in question.
Only thing that identifies a root account is an identification of the rest UID equal to 0. We can have such an account called "pepito" but UID equal to 0, this account will have administrator permissions (root) and many programs that refer to the account name (eg who, w, etc) we would provide information on that account "pepito" has root permissions.
This is the first thing that usually makes a hacker to install a backdoor into a system. To find accounts with different name of root, root permissions but there are programs, but in the absence of a can use this command:
awk-F: '(if ($ 3 == 0) print $ 1)' / etc / passwd
The same (with a small change) can be used for accounts with GID equal to 0:
awk-F: '(if ($ 4 == 0) print $ 1)' / etc / passwd
* It is very important to check regularly that any account (login) has a valid password. There are programs to check that there are no security problems in / etc / passwd, but in the absence of one can use the following command to determine if there are accounts without keys:
awk-F: '(if ($ 2 =="") print $ 1)' / etc / passwd
Never leave an account with the key field empty, this means that no password is required to enter the system. The accounts of pseudo-users (eg, daemon, lp, etc) and user accounts temporarily closed, should have an asterisk (*) in the field of the key.
Another point to consider is the choice of a good key. Should not use codes that are dictionary words, names, personal details, registration, etc., there are programs that are able to decode these keys. Use at least 7 characters (8 recommended) and interpolate numbers and letters, uppercase and lowercase. There are programs that replace the classic "passwd" to create / change passwords, check that the key is good enough.
The explanation of why one should not use dictionary words, names, passwords and so is this:
When a key is generated, that is encoded with the "crypt", this function can be defined as a function hash of a single direction, an algorithm that is easy to compute in one direction but hardly calculated in opposite directions. The crypt function uses a random value called "salt" which is formed by a string of two characters [AZ az 0-9. /]. This encoding allows a random key ways of 4096 (The first two characters in a coded key are the values of "salt", the rest up to 13 ASCII characters is the key encoded according to the value of salt " ).
Once we know a little theory of how the keys are encrypted, we can imagine how to decrypt a key that is a dictionary word, name, registration, etc.. There are programs that systematically coded words from dictionaries ways 4096 (according to the "salt") and compared with each encoding values encrypted in / etc / passwd, if any value matches, it would mean that a key has been broken. This is one of the methods used by hackers to decipher codes and the reason should not be used because they are key words from dictionaries, names, etc..
* Never use scripts / programs like shell in accounts with no password. One example that I read once in a newsgroup, spoke about how to turn off the computer without being root. One solution that was given to the following line in / etc / passwd:
shutdown:: 0:0: shutdown: / sbin: / sbin / shutdown
You can see that the key field is empty, this line in your / etc / passwd anyone, local or not, you can turn off your computer by simply telnet to the machine in question and writing shutdown as login. No need to explain the implications this may have on your system. ;-)
* The / etc / passwd and / etc / group should have read permissions for all that can run many programs and write permissions only for root.
-rw-r - r - 1 root root 11594 Nov 9 12:53 / etc / passwd
-rw-r - r - 1 root root 1024 Nov 9 12:53 / etc / group
With these permits, anyone with access to the system can read the contents of these files and try to decode the encrypted password of the accounts. In small systems where all users are known and there is trust between them, this is not a big problem, but on systems with a large number of users, it is not advisable to have the system configured this way.
To prevent this you can install "Shadow passwords. With shadow passwords / etc / passwd can be read by anyone with access to information but the key to the system is stored in a file that can only be read by the administrator (root)