The default permissions on Ubuntu (or even some BSD) distributions for the /etc/passwd file are 644.
It is pointed out in questions like this that /etc/passwd is a sort of user database and it is convenient to make it universally readable.
But this file may also contain (possibly) reserved informations about the users in the GECOS field. Shouldn't these informations be anyway protected?
Or is there another way (newer than GECOS) to store ad secure this kind of data?
The personal data in /etc/passwd is user names, office locations and phone numbers. That's the 1970s version of the company phonebook. When Unix was designed, it was expected that people who have an account on the same machine would be members of the same organization (colleagues, fellow students, etc.).
If you don't want your users to have access to that kind of information, don't store it in the user database. Users can edit their personal information with the chfn command.
If you don't want your users to know anything about other users, including not allowing them to list the user accounts, set up a separate virtual environment for each user.
I would have to agree. /etc/passwd has not contained very sensitive data for a while now. I believe /etc/shadow is where lots of data that needs to be protected should be stored.
There are multiple newer ways to store this kind of data, including but not limited to LDAP and NIS. The question you have to ask is why there's private information in /etc/passwd in the first place.
