[rsbac] Restricting /etc/passwd & /etc/shadow from root...

Chirag Pandya cpandya at gmail.com
Sat Mar 25 14:18:45 CET 2006

> How do I restrict /etc/passwd & /etc/group file from root and allow
> access only to "useradd" and "userdel" programs ? Which Model is
> recommended for this ? FF / RC / MAC ? Please let me know the details of
> doing the same.

If possible, use the RSBAC User Management scheme, it avoids all the
/etc/passwd, /etc/shadow complications as discussed by Amon in a
previous thread and also found here:

If you still want to use /etc/passwd scheme, try using RC model to
protect it.  Create and assign a new TYPE to /etc/passwd, /etc/shadow
files.  Define compabilities such that root role can only READ these
files.  Create a new ROLE that has write permissions to this new TYPE.
 Now assign this force role to useradd, usermod ... commands.

Hope this helps,


More information about the rsbac mailing list