30

If a person has root access to a particular RHEL machine, will they be able to retrieve the password of the other users?

1
  • 4
    Yes you can, they can share it with you being asked nicely :) in other words, your question is not precisely put. Commented Apr 9, 2012 at 8:55

4 Answers 4

45

TL;DR: No, password are stored as hashes which (in general) can not be recovered.

Linux doesn't store plain-text passwords anywhere by default.  They are hashed or otherwise encrypted through a variety of algorithms.  So, in general, no, this isn't possible with stored data.

If you have passwords stored somewhere other than the /etc/passwd database, they may be stored in a way that allows this.  htpasswd files can contain weakly encrypted passwords, and other applications may store weaker hashes or plain-text passwords for various (typically bad) reasons.

Also, user configuration files may contain unencrypted passwords or weakly protected passwords for various reasons – fetchmail grabbing content from another service, .netrc, or simple automated things may include the password.

If the passwords are hashed or encrypted with an older, weak algorithm (e.g., 3DES, MD5), it would be possible to work out reasonably efficiently / cheaply what the password was – albeit through attacking the data rather than just reversing the transformation. (e.g., things like http://project-rainbowcrack.com/ or http://www.openwall.com/john/)

Since you are root, it is also possible to attack the user password at another level – replace the login binary, or sudo, or part of PAM, etc., with something that will capture the password when it is entered.

So, in specific, no, but in general having root access does make it easier to get at the users' details through various side channels.

2
  • 1
    More info at Wikipedia: /etc/shadow, cryptographic hash function, salt and password cracking Commented Apr 9, 2012 at 11:47
  • 2
    This is a good answer for the most part, however 3DES and MD5 are not in fact significantly weaker than other algorithms. Brute force is still the only method to find a password from a hash (rainbow tables are a way to accelerate brute force methods for any algorithm, not a weakness of MD5). What improves a hash method for passwords is that it's slow and using a long enough salt. Commented Apr 10, 2012 at 0:30
16

In contrast to some other answers here, I'd say that the simple answer, to this and many other questions which end with "if you have root" is YES.

Basically, root can do anything on the machine that the system itself can do. The system can accept your password, so root can accept your password, or his own in place of yours, with enough effort. More importantly, he can simply change your password, or BECOME you.

Specifically, passwords are usually encrypted. This is usually some sort of so-called "one-way" algorithm, which generates a number (a hash) which can be used to check the password, but generally not to reverse the number and get the password back again. So, it's not a matter of just reading a file to get someone's password.

That said, you CAN read their shell history, and the login history, where they've most likely typed their password instead of their username at some point, or typed it in a shell instead of at a password prompt. In that case, it WOULD be plain text. This is disturbingly common on text-based terminals, with no good solutions that I know of.

However, even setting that issue aside, the "one-way" encryption is not really one way. There are plenty of tools around that will go through many combinations of passphrases, encrypting them with the same one-way process, until thy find one that matches. They then know the password that will gain access (although as root, they ALREADY have access, on THAT machine).

Worse, there are rainbow tables, which are precomputed answers to the above process: people have already generated the original password that comes from the given encrypted password. Using these, it's a simple lookup -- no time-consuming cracking attempts required.

Again, root-level access is THE thing to protect. With that compromised, the entire machine, and everything on it is compromised. It's time to start over, including informing all your users that your business can no longer be trusted to protect their privacy. And, yes, that could mean going out of business.

4
  • Getting access to my account is different than getting my password. If you allow me a user login to your machine and I (stupid but common) use the same password for all machines, you do not have access to all machines just b/c you can change my password on your machine. I just get locked out of one account. Commented Apr 22, 2012 at 1:25
  • In addition, if use encrypted file systems for sensitive data, root access compromise does not imply time to start over. Commented Apr 22, 2012 at 1:27
  • @emory If you use encrypted file systems and the system is root compromised, then can you trust the code that deals with the encrypted file system, reads the encryption passphrase, etc.? I would say that you can't, because by definition, a root-privilege compromise means everything on the system (right down to the kernel) is up for grabs. Commented Aug 10, 2013 at 14:27
  • @MichaelKjörling Can I trust the code that deals with the encrypted file system? In most cases, no. In my case, yes. It is housed on read-only media. Root can not write to it. Logs go to a WORM drive. Just the same, I am not handing out the keys to root and probably would start over. Commented Aug 14, 2013 at 23:00
8

If you have root then you can run a password cracker against /etc/shadow (assuming local passwords and not LDAP or Kerberos, etc.). This may not be effective if they choose good passwords and the system is configured to use strong password hashing. But system passwords are not stored in plaintext; passwords are not directly available even to root.

5

All the passwords are stored in /etc/shadow file. You can open this file using root access and see the hash value of these passwords for each user(even root user).

Unless you have any kind of password decrypting software, you can't convert these hash value back to normal text.

But still if you have access to root user, you can change any normal user's password by using the following command and access their account.

root@localhost$ passwd pradeep

This will ask you for the new passwd which you want to set for user pradeep. This way you can change passwd for pradeep.

Now you can access from his account by :

root@localhost$ su pradeep

This will result in switching to pradeep user and you will get a terminal like this:

pradeep@localhost$

1
  • 1
    you can do "su pradeep" even without change pradeep password, because when you do "su pradeep" with root user you don't need to type pradeep password to log in... Commented Apr 12, 2012 at 18:35

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.