[shared] When checking permissions on /etc/group and /etc/passwd files, don't require exactly 0644 mode, but allow also systems having stronger file permissions on these files to meet the tests (IOW make 0644 mode the minimal safe requirement). Please review. Thank you && Regards, Jan -- Jan iankko Lieskovsky / Red Hat Security Technologies Team _______________________________________________ scap-security-guide mailing list scap-security-guide(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

----- Original Message ----- > >From: "Trevor Vaughan" > >Sent: Wednesday, April 9, 2014 2:45:05 AM > > > >I thought that, functionally, /etc/passwd and gorup needed to be 0644 for > >most applications to function correctly. Things may have changed since the > >last time I tried it but I seem to remember PAM not being able to find my > >home directory when I tried to do this once before. AFAICT world-readable permissions are still required on/etc/{passwd,group} majority of the tools to work properly on multi-user accounts system. I don't have the data for RHEL system instances, but at least for Fedora there seems to be use cases where there's just one / root user account on the system: https://lists.fedoraproject.org/pipermail/devel/2014-April/197361.html (FreeIPA / LDAP case) https://lists.fedoraproject.org/pipermail/devel/2014-April/197354.html (VM case) Not sure how much likely it is some organization would want to use group delegation on Red Hat Enterprise Linux: https://lwn.net/Articles/487620/ http://adam.younglogic.com/2011/09/group-delegation-in-unix/ (but theoretically it's possible). So agree that the proposal would cover minority of product instances (if any). But from the principle if the user / organization wanted the permissions to be stronger (having the groups listing managed via setuid-ed vigroup or some other way) I think SCAP content should allow them to do this / count with this use-case too.