Re: Compromise of the nobody account?
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Sun, 27 Jan 2008 11:30:46 -0600
On Sat, 26 Jan 2008, in the Usenet newsgroup comp.security.unix, in article
<ffaf1c48-6dd1-4466-86f2-d14dc35aa513@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, mike3
wrote:
NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.
How bad it is it if one can't trust the "nobody" account on a UNIX
or Unix-like system
And the reason you can't trust it is...
and said account has been broken into and is being used to access
the system?
[compton ~]$ grep nobody /etc/passwd
nobody:*:99:99:Nobody:/:/bin/true
[compton ~]$ grep nobody /etc/group
nobody:*:99:
[compton ~]$
OK - let's start at the beginning. What's the password you need to
become "nobody"? It's the second field. And what shell is
user "nobody" using? It's the last field from the password line.
Is it bad practice to leave the "nobody" account unguarded?
Beside being unable to log in as this user, how do you feel the account
is unguarded? How would you guard it? How do you think you can
exploit the account? Now you may discover some exploit that can
elevate the privileges of a user running in some account, but
exactly how would this differ from a user running as any other user
beside nobody - such as user 'cron', user 'mail' or user 'news'?
At worst I'd guess the cracker might be able to turn off or fuss
around with daemons running as that,
[compton ~]$ find / \( -group 99 -o -user 99 \) -print 2>/dev/null
[compton ~]$
So 'nobody' owns no files or directories. That means the access
granted to this user (or group) is that of the three right bits in the
permission mask, and
[compton ~]$ find / \( -type f -o -type d \) -perm -002 -exec ls -ld {} \;
drwxrwxrwt 3 root root 16384 Jan 27 08:42 /tmp
drwxrwxrwt 2 root users 1024 Dec 26 15:31 /tmp/.X11-unix
drwxrwxrwt 2 root root 1024 Dec 26 15:31 /var/tmp
[compton ~]$
the only files or directories that are writable are the /tmp/ directories.
I'll leave it as an exercise for you to determine what the 't' permission
flag is.
however if one uses something else to run the daemons instead I would
not think all that much damage to the system could be done from a
comp'd nobody account.
Yeah, but instead they would be able to run crap as "something else"
what-ever that might be.
Is this a good assessment?
No. You might want to spend some time reading authoritative material
about the subject. You seem to be in the USA, so try wandering down to
a good library and see if you can find a copy of "Practical UNIX &
Internet Security, 3rd edition" by Simson Garfinkel, Gene Spafford, and
Alan Schwartz (O'Reilly, ISBN 0-596-00323-4, 984 pgs, February 2003)
which would be a good starting point.
Old guy
.
- Follow-Ups:
- Re: Compromise of the nobody account?
- From: mike3
- Re: Compromise of the nobody account?
- From: Unruh
- Re: Compromise of the nobody account?
- References:
- Compromise of the nobody account?
- From: mike3
- Compromise of the nobody account?
- Prev by Date: Re: Compromise of the nobody account?
- Next by Date: Re: Compromise of the nobody account?
- Previous by thread: Re: Compromise of the nobody account?
- Next by thread: Re: Compromise of the nobody account?
- Index(es):
Relevant Pages
|
|
