/etc/shadow - how could it be edited when it is read only

I am trying to change the content of /etc/shadow file but realize it is read only

sghk1> ls -l /etc/shadow
-r-------- 1 root sys 4045 Aug 19 16:13 /etc/shadow

the /etc/shadow file permission is read only. in that case how does /usr/bin/passwd change its contents ?

e.g. passwd -x 30 username

1 Answer

The root user in linux/unix systems can write to a file even if the write flag is not set. Therefore he can change the contents of /etc/shadow or any other file independent from it's permissions.

The passwd utility has the setuid bit set. See with:

ls -la /usr/bin/passwd

It should look like this:

-rwsr-xr-x 1 root root 42824 Sep 13 2012 /usr/bin/passwd

Notice the s in the file owner permission. This indicates the setuid bit. If a normal user now executes the passwd utility, it is executed with the permission of the file owner; in this case root.

The setuid bit gains temporarily elevated privileges to run a specific task, such as changing things in system files, for example /etc/shadow or /etc/passwd.

The setuid bit must be handled with care. That mechanism can be used for several vulnerabilities if set on the wrong binary. Imagine, the /bin/bash utility would have set the setuid bit; so every user in the system could start a root shell!