Actual password hashes are stored in /etc/shadow, which is not readable by regular users. /etc/passwd holds other information about user ids and shells that must be readable by all users for the system to function.
Passwords haven't been stored in /etc/passwd for years now; the name is legacy, the function of being the local user database remains and it must be readable by all for that purpose.
To some extent it is, as you can identify users. In the past you could also pick up their passwords. However, the one userid really worth cracking is root which is well known without the password file.
The utility of having the password file world readable generally far outweighs the risk. Even if it weren't world readable, a functioning getent passwd command would render the security gain void.
The ability for non-root users to identify files owned by others would disappear. Being able to identify owned (user in passwd file) and unowned files (user not in passwd file) can be useful in reviewing the contents of a file system. While it would be possible to resolve this with appropriate setuid programs, that would add a huge attack vector via those programs.
In the end it is a matter of balance, and in this case I would say the balance is firmly on having password world readable.
Actual password hashes are stored in
/etc/shadow
, which is not readable by regular users./etc/passwd
holds other information about user ids and shells that must be readable by all users for the system to function.Typically, the hashed passwords are stored in
/etc/shadow
on most Linux systems:(They are stored in
/etc/master.passwd
on BSD systems.)Programs that need to perform authentication still need to run with
root
privileges:If you dislike the
setuid root
programs and one single file containing all the hashed passwords on your system, you can replace it with the Openwall TCB PAM module. This provides every single user with their own file for storing their hashed password -- as a result the number ofsetuid root
programs on the system can be drastically reduced.Passwords haven't been stored in
/etc/passwd
for years now; the name is legacy, the function of being the local user database remains and it must be readable by all for that purpose.To some extent it is, as you can identify users. In the past you could also pick up their passwords. However, the one userid really worth cracking is
root
which is well known without the password file.The utility of having the password file world readable generally far outweighs the risk. Even if it weren't world readable, a functioning
getent passwd
command would render the security gain void.The ability for non-root users to identify files owned by others would disappear. Being able to identify owned (user in passwd file) and unowned files (user not in passwd file) can be useful in reviewing the contents of a file system. While it would be possible to resolve this with appropriate
setuid
programs, that would add a huge attack vector via those programs.In the end it is a matter of balance, and in this case I would say the balance is firmly on having password world readable.