search cancel

/etc/passwd or /etc/groups file system permissions always revert to 644

book

Article ID: 35792

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

After modifying a Unix user account with a PIM/PAMSC endpoint, the permissions of the file /etc/passwd or /etc/groups, /etc/shadow, /etc/gshadow, et al. get changed  to 644.

For example:

# grep Attrs /etc/seos.ini 
SavePasswdAttrs = no
SaveGroupAttrs = no

# ls -lh /etc/gshadow  
----------. 1 root root 485 Jul 16  2021 /etc/gshadow

# selang -s -c "join shadowtest group(lodadmin) unix"       
(localhost)
Successfully joined USER shadowtest to group lodadmin
(localhost)
Unix :
======
Successfully updated GROUP lodadmin

# ls -lh /etc/gshadow                               
-rw-r--r--. 1 root root 495 Apr 28 14:59 /etc/gshadow

 

Environment

Privileged Identity Manager 12.8 Linux endpoints
PAM Server Control 14.0, 14.1 Linux endpoints

Cause

The behavior is dictated by the following tokens in the seos.ini config file. In older PIM/PAMSC builds, the default value was no. However, engineering changed the default to yes in newer builds.

; If this token is set to "Yes", then after an update of a user in the UNIX 
; environment, the previous password file owner, group, and mode are preserved.
; Otherwise, the new values are set to 0, 0, 644 respectively.
; Valid values are "yes" or "no".
; Default Value: yes
SavePasswdAttrs = no

; If this token is set to "Yes", then after an update of a group in the UNIX 
; environment, the previous group file owner, group, and mode are preserved. 
; Otherwise, the new values are set to 0, 0, 644 respectively.
; Valid values are "yes" or "no".
; Default Value: yes
SaveGroupAttrs = no

Resolution

Stop the endpoint, update the tokens in seos.in to yes, then start the endpoint again. Future user updates will not modify the file permissions.

In a lab environment, this was confirmed with the following test.

# grep Attrs /etc/seos.ini 
SavePasswdAttrs = yes
SaveGroupAttrs = yes

# ls -lh /etc/gshadow   
----------. 1 root root 495 Apr 28 15:01 /etc/gshadow

# selang -s -c "join shadowtest group(lodadmin) unix"
(localhost)
ERROR: Failed to fetch data for GROUP lodadmin
(localhost)
Unix :
======
Successfully updated GROUP lodadmin

# ls -lh /etc/gshadow
----------. 1 root root 495 Apr 28 15:03 /etc/gshadow

Additional Information

For more information about the [passwd] section of seos.ini, refer to the following documentation link.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager-server-control/14-1/reference/configuration-files/the-seos-ini-initialization-file/passwd.html