Re: User access & security

On Thu, 04 Oct 2007, in the Usenet newsgroup comp.os.linux.security, in article
<47041e72$0$22321$ba620e4c@xxxxxxxxxxxxxx>, goarilla wrote:

Mark wrote:

I am told that it is fairly easy with user access to install a
rootkit of some sort and totally compromise the system.

fairly easy ? iirc a rootkit is something that replaces valuable
system tools like ps, lsof, top, ipconfig, ip, ...
for this to be succesfull the user has to have access to the files in
question
this can be accomplished in a number of ways i know of

all of which require the attacker to have access to the system.

a) you have fucked up your permissions and allow other to write to
binaries owned by root

I'm amazed at the number of total fscking IDIOTS who think that
'chmod 777 *' is the way to fix a permission problem. Luckily, the
really dumb ones do that recursively from / and really screw up
access to their systems, give up, and go back to running windoze95
because it doesn't have these problems.

b) the user account has unlimited access to or has enough access to
sudo to do the same as mentionned in a)

or the root account has no password because it's to hard to type the
password all the time.

c) the user is rather skilled or is a script kiddie who knows where
to get good tools and uses exploits in suid programs to execute the
commands required to install rootkit (again you'll have to decide what
you want your users to be able to do (permissions permissions
permissions)).

This usually occurs because the administrator doesn't maintain the
system or understand what they are doing in the first place. These are
the same people who install everything on the 7 CD (or two DVDs) set
because they think they might find it useful.

normal users have no business using suid or sgid programs

[compton ~]$ ls -l /bin/login
-rws--x--x 1 root root 16314 Mar 13 2007 /bin/login
[compton ~]$

Yeah! ;-)

d) the user is extremely good so after not finding the necessary
sudo/sgid exploits he will try to attack running services that run
as root: apache, smb, ... to get total access to the machine

Again, why does an attacker have access to vulnerable services? A
publicly visible server should be running only those services
needed to do it's job.

lately most attacks against webservers seem to target vulnerable php,

It is possible to write PHP that is more bullet resistant. Unfortunately
most administrators merely copy some piece of crap that they found in a
garbage can, and make NO effort to understand what it's doing, and the
holes that it opens. "It works, and doesn't crash the browser or the
server - must be OK!"

perl script and spawn a custom script, which is located at some
anonymous or compromised server, which launches a reverse (root) shell
so ... it's a good idea to disallow the use of download tools like
wget, curl to your users and your apache server

You did notice that what was being exploited here was an FTP server
with a well-known username and password that was set up to allow
uploading of files.

Old guy
.