Re: Compromise of the nobody account?

On Jan 27, 11:01 am, Unruh <unruh-s...@xxxxxxxxxxxxxx> wrote:
ibupro...@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) writes:
On Sat, 26 Jan 2008, in the Usenet newsgroup comp.security.unix, in article
<ffaf1c48-6dd1-4466-86f2-d14dc35aa...@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, mike3
wrote:
NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen.  Find a real news server.
How bad it is it if one can't trust the "nobody" account on a UNIX
or Unix-like system
And the reason you can't trust it is...
and said account has been broken into and is being used to access
the system?
[compton ~]$ grep nobody /etc/passwd
nobody:*:99:99:Nobody:/:/bin/true
[compton ~]$ grep nobody /etc/group
nobody:*:99:
[compton ~]$
OK - let's start at the beginning. What's the password you need to
become "nobody"?     It's the second field.    And what shell is
user "nobody" using?   It's the last field from the password line.
Is it bad practice to leave the "nobody" account unguarded?
Beside being unable to log in as this user, how do you feel the account
is unguarded?   How would you guard it?   How do you think you can
exploit the account?   Now you may discover some exploit that can
elevate the privileges of a user running in some account, but
exactly how would this differ from a user running as any other user
beside nobody - such as user 'cron', user 'mail' or user 'news'?

I think he may be being confused by, for example, nfs making the user root
into the user nobody when accessing nfs mounted files. Thus he sees
evidense of nobody trampling around and is worried that it is a breaking.


Actually you were wrong: I never saw any of this type of thing. Rather
I was asking as a purely hypothetical scenario out of curiosity.

At worst I'd guess the cracker might be able to turn off or fuss
around with daemons running as that,
[compton ~]$ find / \( -group 99 -o -user 99 \) -print 2>/dev/null
[compton ~]$

Usually user nobody is uid -1 although on mine it is -2.

<snip>
.