What prevents me from just editing the /etc/shadow file in unencrypted systems?
What prevents me from just editing the /etc/shadow file in unencrypted systems?
Nothing, there is no specific protection for /etc/shadow
. Some systems might have tampering detection, so the system administrator would know that /etc/shadow
was changed (unless you also overrode the tampering detection, typically by updating it so it considered your modified /etc/shadow
as correct), but nothing stops you from editing files in an unencrypted file system.
Encrypting the drive (or the partition holding /etc/shadow
) is sufficient to prevent such attacks, but not to prevent more sophisticated attacks. Full protection against attacks involving physical access is still not quite there, although Secure Boot and TPM measurements do make successful attacks much harder.
You can edit it directly, but making a wrong entry can cause damage to the OS, even making it inoperable which is why the program vipw
(with -s flag) loads a temporary copy to make edits in and checks the syntax before saving and overwriting it.