Linux - Security - Update /Etc/Passwd Permissions

What the passwd permissions enforcer does

This Automox Worklet™ validates and enforces correct permissions on /etc/passwd, the file that contains user account information on Linux systems. The Worklet checks both the file permissions (should be 644) and ownership (should be root:root), and corrects any deviations.

The /etc/passwd file must be readable by all users because many system utilities query it for user information. It must be writable only by root to prevent unauthorized account modifications. This Worklet continuously monitors and enforces this security-critical configuration.

The /etc/passwd file must be readable by all users because many system utilities query it for user information, but it must be writable only by root to prevent unauthorized account modifications.

Why enforce passwd file permissions

/etc/passwd contains user account information including usernames, user IDs, home directories, and default shells. When permissions on this file are too permissive, unauthorized users can modify account data, add malicious users, change user IDs to escalate privileges, or corrupt the file to cause authentication failures. While /etc/passwd does not contain password hashes on modern systems, corrupting this file can lock out legitimate users and enable privilege escalation attacks.

Security scanning tools and compliance frameworks check /etc/passwd permissions as a fundamental security control. CIS Benchmarks for Linux, STIG requirements, and security hardening guides specify that /etc/passwd must be owned by root with 644 permissions. Incorrect permissions generate critical findings in security audits and indicate poor system hardening practices.

Misconfigured deployment tools, manual system modifications, or inherited configurations from cloned images can create endpoints with incorrect /etc/passwd permissions. These misconfigurations persist silently until a security scan or audit reveals them. Administrators need automated remediation to correct permissions across their Linux fleet without manual login to each system.

Attackers who gain limited access to a Linux system often look for world-writable files in critical system directories. Incorrect permissions on /etc/passwd provide an immediate path to privilege escalation by allowing attackers to add root-equivalent accounts or modify existing account parameters.

How passwd permission enforcement works

1. Evaluation phase: Uses stat to read the current octal permissions, owner UID, and group GID of /etc/passwd. If permissions are not 644 or owner/group are not 0 (root), remediation is triggered.

2. Remediation phase: Rechecks permissions and applies corrections as needed: chmod 644 if permissions are wrong, chown root:root if ownership is wrong. Only modifies settings that are non-compliant.

Passwd file security requirements

• Linux endpoints with standard /etc/passwd file

• stat command with --printf support

• Root privileges for the Automox agent

• Compatible with workstations and servers

Expected passwd file configuration

The /etc/passwd file permissions are set to 644 (rw-r--r--). Root has read and write access, while all other users have read-only access. This matches CIS Benchmark recommendations and STIG requirements for Linux systems.

The file ownership is set to root:root. Only the root user can modify account information in /etc/passwd. Non-privileged users can still read the file to look up user information, home directories, and shell assignments, but cannot make changes.

You can verify the permissions by running 'ls -l /etc/passwd' on the endpoint. The output shows '-rw-r--r-- 1 root root' followed by the file size and modification date, confirming correct permissions and ownership.

Authentication and user lookup operations continue normally. Services that read /etc/passwd to determine user information, home directories, or shell settings operate without interruption. The permission change does not affect system functionality but closes a security gap that could enable unauthorized account modifications.

How to validate update /etc/passwd permissions changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for update /etc/passwd permissions.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as chmod, chown, then rerun evaluation for compliance.