[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] AWStats
- Subject: Re: [cobalt-developers] AWStats
- From: "William L. Thomson Jr." <support@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue Aug 20 13:03:01 2002
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
On Tue, 2002-08-20 at 05:38, Zeffie wrote:
> > So saying using /bin/su over su due to security issues is a little off
> > track. I understand your point, but really buy the time they can put a
> > trojan version on your machine you are already sool. So at that point
> > you must ask yourself, can they only affect that user, or all?
> > William L. Thomson Jr.
>
> Not true.
>
> our path (raq4)
> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/sbin:/usr
> /sbin:/usr/local/bin:/usr/local/sbin
>
> Lets say someome finds/makes a hole in one of our services that run as root
First problem, no service, especially public services should run as
root.
> or even the command "passwd" and all they can do is make a file... they
> cannot overwrite for whatever reason... now... all they have to do in make
> that file in /usr/local/sbin or /usr/local/bin or /sbin and call it su
In that scenario where they can only make a file, placing a symlink in
/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin all to
/bin/su would resolve that worry or problem. Although usually if they
can make a file they can do much more than that so I am not to sure how
likely that scenario is.
> Next time you "su" and depend on the path... you send the passwd out in the
> mail. and you think your locked out... hey ... no root for you... (untill
> you run the real /bin/su) and shortly you will have visitors... with root
> access.
I see where you are going with that, but at that point you should be
aware that you have been exploited and are taking measures to restore
security. If you prevent them from playing around with or installing a
modified su, then they will just look to something else.
So sure by using a absolute path to su (/bin/su) you may think they
can't get your password, but where there is a will there is a way.
If they have access to your file system getting a copy of your password
files, /etc/passwd, /etc/shadow would be enough for them to crack your
passwords. There are many programs out there that can read and display
the passwords. Some will take a while depending on the algorithm.
The real issue at hand is keeping them out of the system(s). Once they
have access it's just a matter of time. So using /bin/su may slow them
down, but that will not stop them.
So I do not consider it to be a security measure. More like once the
boat has sprung a leak try to keep the leak in one part. I would rather
fix the leak, or prevent a leak from occurring with proper maintenance.
Basically security after the fact of an exploit is not really security.
Security should prevent the exploit from occurring.
Now if you want to prevent this scenario, it's simple install tripwire.
Dial it in, and you will know when ever a file is modified, created, and
etc. Then you will be able to respond as it's happening instead of
falling victim after the fact. That would be a better security measure
than saying only use /bin/su instead of su.
--
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone 707.766.9509
Fax 707.766.8989
http://www.obsidian-studios.com