Technically you want /etc/shadow as that is where the actual hashes are stored.
On a Linux system usually any user has at least read access to /etc/passwd but only root has /etc/shadow.
This attack would presume that you already have either physical access to the disk or you have already compromised the machine remotely to basically root or admin type level.
Of course being able to get the actual passwords of users would be useful to an attacker because they might be able to use them to elevate from access to one system to potentially other systems where users might well be using the same password.
Not sure how drive encryption with Truecrypt would work in this case. I presume password hashes are stored outside of the encrypted part otherwise every user would have to enter the volume key before they signed in regardless of their access level. Which would mean distributing the volume key widely.
Truecrypt is also vulnerable in the sense that it is often possible to grab the volume key straight out of DRAM if the computer is on or has only recently been switched off.
On a Linux system usually any user has at least read access to /etc/passwd but only root has /etc/shadow.
This attack would presume that you already have either physical access to the disk or you have already compromised the machine remotely to basically root or admin type level.
Of course being able to get the actual passwords of users would be useful to an attacker because they might be able to use them to elevate from access to one system to potentially other systems where users might well be using the same password.
Not sure how drive encryption with Truecrypt would work in this case. I presume password hashes are stored outside of the encrypted part otherwise every user would have to enter the volume key before they signed in regardless of their access level. Which would mean distributing the volume key widely.
Truecrypt is also vulnerable in the sense that it is often possible to grab the volume key straight out of DRAM if the computer is on or has only recently been switched off.