Re: To limit the user

From: Alex (alex.ferguson@NOSPAMdartmouth.edu)
Date: 04/18/03

• Next message: Dharma Fog: "Re: [Samba] Samba over SSH tunnel almost works"
• Previous message: Shashank Khanvilkar: "ssh2: login without a password"
• In reply to: Kyler Laird: "Re: To limit the user"
• Next in thread: Michael Heiming: "Re: To limit the user"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Alex" <alex.ferguson@NOSPAMdartmouth.edu>
Date: Fri, 18 Apr 2003 15:12:15 -0400

On Fri, 18 Apr 2003 15:22:08 GMT
Kyler Laird <Kyler@news.Lairds.org> wrote:

> > Any such solution would have to answer problems like the attacker starting a telnetd or some rat under the user's id
>
> How is a user-started telnetd going to elevate a process to
> root? It has to go through a setuid executable. You
> control those.

My assumption was that this whole exercise is to prevent the attacker from having the opportunity to guess at the root password. I don't suggest anywhere that a compromised user account needs to equal a root compromise. (It could pretty fast though if the user is using su or sudo because of $PATH.) Here I am suggesting ways the attacker might cause his terminal to appear to be something other than that which he entered with (the ssh session.)

>
> > and disassociating it from the terminal, or even setting ~/.profile or cron to run that telnetd.

>
> Verify that the connection is associated with a specified
> terminal. Can't fake that, can you?

The idea here is that .profile will be executed when the legitimate user logs into a trusted terminal, thus bypassing all restrictions on the attacker's terminal.

This certainly isn't something I've studied on, so do continue to keep me honest!

--Alex

-- 
PGP/GPG key id 848C80EF available at wwwkeys.pgp.net

---

• Next message: Dharma Fog: "Re: [Samba] Samba over SSH tunnel almost works"
• Previous message: Shashank Khanvilkar: "ssh2: login without a password"
• In reply to: Kyler Laird: "Re: To limit the user"
• Next in thread: Michael Heiming: "Re: To limit the user"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Bug in TreeView control ... Uses lines to link items at the root of the tree-view control. ... I have found no inconsistencies in the Visual Basic or Platform SDK ... treeview control, which I believe to be inconsistent and will explain. ... (microsoft.public.vb.controls) Re: Bug in TreeView control ... Uses lines to link items at the root of the tree-view control. ... I have found no inconsistencies in the Visual Basic or Platform SDK ... To get the plus\minus box on the root level, ... (microsoft.public.vb.controls) Re: How should control images should be handled? ... > as icons and other decorations in the form of images. ... > part of the control. ... you configure the HttpHandler to process all requests for *.MyControl, ... > root is actually the domain root, while in the development system the root ... (microsoft.public.dotnet.framework.aspnet.buildingcontrols) Re: Adventures in DRM land: Sony ... SOmeone has to control that ... ...and be there when I want to install &frammis. ... Taking away root is a control-phreak issue. ... corp far more in lost productivity than the materials savings. ... (comp.sys.ibm.pc.hardware.chips) How should control images should be handled? ... Some times user controls and custom web controls need images such ... part of the control. ... I typically put all my images in the img directory at the root of my web ... But then on my development machine my ... (microsoft.public.dotnet.framework.aspnet.buildingcontrols)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.ssh  > 2003-04