yesterday we implemented a security system on our CODE server and this morning I got an alert because the command
ln -f /etc/passwd /opt/cool/systemplate/etc/passwd was run as root user.
Now what I got from the documentation is that this systemplate directory is rebuilt with each packet update. However when this command was run, there wasn’t anyone doing anything on the server, so I’m kinda confused.
Long story short: In which occasions are these symlinks performed? Is this usual behaviour from coolwsd service?
Thanks in advance
Ah - that’s not a symlink, but a hard-link. So the file should then appear in the system and in the jail. I expect we need /etc/passwd to have some understanding of the uids etc. although I’m not entirely sure why it’s necessary. However /etc/passwd has for decades not had 1-way-hashed passwords in it - they are in /etc/shadow which we don’t need in the jail. So I would suggest this is not an issue.
And yes - it’s normal behaviour =) but thanks for checking !
Thanks a lot for your quick reply
I saw that the passwd file actually doesn’t contain any passwords, but your point regarding the uids definitely does make sense now.
So case is closed - thanks again and have a great day!