Re: Secure $PATH for regular user

On Thu, 01 Nov 2007, in the Usenet newsgroup, in article
<472913c7$0$22308$ba620e4c@xxxxxxxxxxxxxx>, goarilla wrote:

Moe Trin wrote:

goarilla wrote:

user@host:~ $ su
root@host: $ sudo /bin/ls
root is not in the sudoers file. This incident will be reported.


Offcorse :D

Hate to say how many people I've seen with a null password - even for
the root account.

If the attacker knows you can sudo (or su) to root, they can use
that knowledge to obtain the authentication token (if there is
one), and then become root directly and screw the system without
have to wait for you to trip over their malware.

what do you mean with authentication token ?

What ever mechanism you are using to authenticate yourself. This could
something as simple as a username and password - it's amazing how many
people are still using telnet over the wire (which passes username and
password en-clair for anyone to sniff), or someone installing a key
sniffer on your system (or simply running the 'script' command to
snarf all of your keystrokes). At the other extreme, this could be
a one-time password or a token card system such as "SecureID" or
"SecureNet". No matter what, the attacker merely has to be able
to be able to learn your password by any means, and you get blamed
for the attack.

Some users also make it easy for the attacker, because they use a
predictable username and password. In March 2003, there was a windoze
worm called "deloader" that wreaked havoc with the windoze crowd by
trying just 87 passwords for the "Administrator" account. Those 87
included such difficult passwords as "" (which is to say 'nothing')
"0", "1", or the really hard one "pass", and this cracked a large
number of windoze boxes. I hate to tell you how often a password
cracking tool such as "Jack the Ripper" has found such passwords on a
*nix box.

The distributions are partially to blame for this - playing the
numbers game of "we have more stuff than the other guys". They try
to make the systems somewhat self-maintaining (automatically
checking for, and installing updates) but some block this function
under the impression that the software is "calling home" with all
kinds of secret/personal information.

thats why i use slackware, freebsd

And on both of these, the first account the home or hobbyist user gets
is... root. (It was six months before I learned who this 'root'
was, and over a year before I got very limited extra privileges that
allowed me to shut down the system, or mount/unmount tapes. I didn't
get a root account for six MORE months after that.)

A major problem is that the average computer user is not willing to
learn what their computer is doing, and why. The distributions (and
that includes the *BSDs) have to cater for this lower skill level.
In April 1999, what was then 'Caldera Linux' introduced a brain dead
installation program that allowed poorly trained monkeys to setup a
Linux system from scratch. The other distributions had no choice but
to emulate this. Sure, there are more users of Linux (and *BSD)
today, but where are their skills? Just click that icon, and all
will be well.

In many operating systems (and that even includes windoze), there may
be unpatched security holes, but the FAR more common problem is user
stupidity. Uncrackable computers are already available. It's uncrackable
users that are in short supply

talking about openvms, tandem ?

Actually, any of the 'secure' or 'trusted' distributions of Linux will
do - as will OpenBSD. There are also trusted (but because they are not
certified, can't be called) UNIX out there as well. Generally, these
put more barriers in place, such as access control lists, or the NSA
SELinux hooks. Out of box, they can be _practically_ uncrackable. But
then you add users...

Social Engineering - Because there's no patch for human stupidity.

Old guy.

Relevant Pages

  • Re: Fedora 20 Update: unetbootin-603-1.fc20
    ... Linux distributions from Windows or Linux, without requiring you to burn a CD. ... You can either let it download one of the many distributions supported ... UNetbootin must be run as root. ...
  • Re: Password
    ... I ran a quick search on Ask with the phrase "linux lost ... Have you ever forgotten your root password? ... Fortunately, it wasn't a boot password, so I did have ... (although "mount" may say it is). ...
  • Re: Fedora 20 Update: unetbootin-603-1.fc20
    ... Linux distributions from Windows or Linux, without requiring you to burn a CD. ... UNetbootin must be run as root. ... To unsubscribe or change subscription options: ...
  • RE: Linux hacked
    ... Subject: Linux hacked ... After you boot up into the OS running from CD, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ...
  • Re: Greetings / Newbie questions
    ... Please, don't jump on the "Linux is the be-all, end-all OS and is ... I am having a bit of trouble deciding which to use: Gnome or KDE. ... >I have found that alot of things need to be done as root. ...