[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] AWStats

Subject: Re: [cobalt-developers] AWStats
From: "Zeffie" <cobaltlist@xxxxxxxx>
Date: Fri Aug 23 13:42:02 2002
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

> On Tue, 2002-08-20 at 05:38, Zeffie wrote:
> > > So saying using /bin/su over su due to security issues is a little off
> > > track. I understand your point, but really buy the time they can put a
> > > trojan version on your machine you are already sool. So at that point
> > > you must ask yourself, can they only affect that user, or all?
> > > William L. Thomson Jr.
> > Not true.
> > our path (raq4)
> >
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/sbin:/usr
> > /sbin:/usr/local/bin:/usr/local/sbin
> > Lets say someome finds/makes a hole in one of our services that run as
root
> First problem, no service, especially public services should run as
> root.

sure... but many things do on various peices of cobalt equipment.  I work on
all of the cobalt line.  The old Mips boxes can be very redhat 4.2.  and we
have things that run as root.

> > or even the command "passwd" and all they can do is make a file...  they
> > cannot overwrite for whatever reason...  now... all they have to do in
make
> > that file in /usr/local/sbin or /usr/local/bin or /sbin and call it su
>
> In that scenario where they can only make a file, placing a symlink in
> /usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin all to
> /bin/su would resolve that worry or problem. Although usually if they
> can make a file they can do much more than that so I am not to sure how
> likely that scenario is.

it's not about how to stop things it's about good habits.

> > Next time you "su" and depend on the path...  you send the passwd out in
the
> > mail.  and you think your locked out...  hey ... no root for you...
(untill
> > you run the real /bin/su)  and shortly you will have visitors... with
root
> > access.
>
> I see where you are going with that, but at that point you should be
> aware that you have been exploited and are taking measures to restore
> security. If you prevent them from playing around with or installing a
> modified su, then they will just look to something else.
>
> So sure by using a absolute path to su (/bin/su) you may think they
> can't get your password, but where there is a will there is a way.

yes and this is about one way...  (an old way)

> If they have access to your file system getting a copy of your password
> files, /etc/passwd, /etc/shadow would be enough for them to crack your
> passwords. There are many programs out there that can read and display
> the passwords. Some will take a while depending on the algorithm.

They don't have access to retrive a file in this method.  Only the need to
make one.

> The real issue at hand is keeping them out of the system(s). Once they
> have access it's just a matter of time. So using /bin/su may slow them
> down, but that will not stop them.

but it will not give away the passwd automaticly. and you may not know it.

> So I do not consider it to be a security measure. More like once the
> boat has sprung a leak try to keep the leak in one part. I would rather
> fix the leak, or prevent a leak from occurring with proper maintenance.
> Basically security after the fact of an exploit is not really security.
> Security should prevent the exploit from occurring.

Do I need to describe the attack in detail to you on a user list?

> Now if you want to prevent this scenario, it's simple install tripwire.
> Dial it in, and you will know when ever a file is modified, created, and
> etc. Then you will be able to respond as it's happening instead of
> falling victim after the fact. That would be a better security measure
> than saying only use /bin/su instead of su.

those are prevention things....  and in your case you would give the passwd
to the attacker when you logged in... and just because you have tripwire
dosen't mean everybody does..  it's not part of the default load.

It's Good Habit!  "Thats is all"

EOF

Zeffie
http://www.zeffie.com/



> --
> Sincerely,
> William L. Thomson Jr.
> Support Group
> Obsidian-Studios Inc.
> 439 Amber Way
> Petaluma, Ca. 94952
> Phone  707.766.9509
> Fax    707.766.8989
> http://www.obsidian-studios.com
>
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
>

References:
- RE: [cobalt-developers] AWStats
  - From: Matthew Nuzum
- RE: [cobalt-developers] AWStats
  - From: William L. Thomson Jr.
- Re: [cobalt-developers] AWStats
  - From: Zeffie
- Re: [cobalt-developers] AWStats
  - From: William L. Thomson Jr.

Prev by Date: [cobalt-developers] Java on RAQ550
Next by Date: Re: [cobalt-developers] Log Rotate Problem
Previous by thread: Re: [cobalt-developers] AWStats
Next by thread: [cobalt-developers] AWStats

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index