Overview
/etc/passwd defines user accounts. If writable, you can add a root-level user or modify existing entries. Even read access helps — password hashes may still be stored here on older systems.
Check Permissions
/etc/passwd Format
| Field | Example | Notes |
|---|---|---|
| username | root | Login name |
| password | x | x = hash in /etc/shadow. If actual hash here, it takes priority |
| UID | 0 | 0 = root |
| GID | 0 | 0 = root group |
| comment | root | GECOS field |
| home | /root | Home directory |
| shell | /bin/bash | Login shell |
Generate Password Hash
OpenSSL
mkpasswd
Python
Add Root User
Writable /etc/passwd
One-liner
Add User Without Password
Modify Existing User to Root
Change UID/GID of current user to 0:Overwrite Root Password
Replacex with actual hash — bypasses /etc/shadow:
Remove Root Password
Read-Only /etc/passwd (Hash Cracking)
Even without write access, if hashes are in /etc/passwd (notx):
Via Other Write Primitives
SUID cp
Capability cap_dac_override
NFS no_root_squash
Polkit — CVE-2021-3560
Exploit polkit race condition to create privileged user.Check Vulnerable
Affected Systems
- Ubuntu 20.04
- Debian 11
- Fedora 33
- CentOS 8