Re: Compromise of the nobody account?
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Sun, 27 Jan 2008 19:55:28 -0600
On Sun, 27 Jan 2008, in the Usenet newsgroup comp.security.unix, in article
<54209225-4fe7-4fe6-ba22-348a8b6658b0@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, mike3
wrote:
NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.
How's that? The only reason I use google is because it's free -- I
don't have to pay for it since I don't get a lot of money.
http://www.dmoz.org/Computers/Usenet/Public_News_Servers/
There is substantial spam flowing out of google, to the point that
people are simply killfiling (blocking) all posts from there.
And the reason you can't trust it is...
Someone broke in to it?
Not very likely. If you're going to get r00ted, it's much more likely
to occur to one of the "normal" accounts.
OK - let's start at the beginning. What's the password you need to
become "nobody"? =A0 =A0 It's the second field. =A0 =A0And what shell is
user "nobody" using? =A0 It's the last field from the password line.
There's another reason not to use google - it's screwing up the text.
Well, in my hypothetical, suppose the password was "bigdaddy".
The administrator assigned "nobody" to have whatever shell is
the usual for a user account on his/her system.
Then the administrator is totally incompetent, and should be shot,
and the remains tossed into a pit of rabid drug-crazed wombats.
There is no reason to have a "working" password for this account. I'm
guessing you don't understand that the "*" in the password field means
"no password will work here" - that field is normally either a referral
field ("x" means to look in /etc/shadow, "+" means it's in NIS) or the
11+ character hash of the password. There is no way for any of the
hashing tools used to create this entry (crypt, md5, sha, blowfish) to
create a hash of "*", so nothing you can enter at the "Password:"
prompt will work - they ALL will come up with "Login incorrect".
As far as the shell is concerned, "nobody" doesn't use a shell. It's
generally used to run specific commands. Thus, the '/bin/true' shell
(which exits immediately) is the only shell needed by this user.
Well, let's see. With "bigdaddy" as a poassword it might be suitable
for a dictionary attack.
First error - all attempts to log in as nobody (or to 'su' to it from
all but the root account) fail - immediately. And yes, a password as
bad as 'bigdaddy' would fail easily to a dictionary attack, which is
why everyone and their dog constantly screams about users coming up
with such crap. "Mixed case, includes a digit and a punctuation
character, and is not a dictionary word or combination of dictionary
words." The password should have no obvious (or even subtle)
connection to the user. Thus, I have used passwords that interleaved
the name of my neighbor's dog and the capital city of a long defunct
nation (think on the lines of sRaOiVgEoRn) - along with the digit and
a comma. Others suggest using the first letter of each word of a
phrase or song (think "TtL*HiWwya" - for "twinkle, twinkle, little
star...). Relatively easy to remember (and type), yet not easy to
guess (or even stumble across).
But once in as nobody, could one perhaps shut down or tamper with
daemons running under it
Shutting down is possible, tampering is not. On this system, "nobody"
is used to index the man pages, and run the tool that creates the
"locate" database nightly. Stopping either job isn't critical. But
again, "nobody" owns nothing, and thus is unable to alter any tool.
perhaps in a way that might enable access to more of the system? Since
"nobody" is often used for running daemons, that's why I was wondering
about it.
Not that many systems use nobody to run a daemon. It's more to run a
task that requires limited access. Your cracker would be much better
served going after one of the user accounts.
I'll leave it as an exercise for you to determine what the 't'
permission flag is.
t is for Temporary?
It's the "sTicky" bit, that now is most normally used to prevent any
who have write permission in a directory other than the file owner
from deleting a file.
So what if, say, nobody were to create a file in those directories,
perhaps an executable program, that could then be run to do something?
OK - who is going to run it? "/tmp" is not likely to be in the PATH of
a user, so you'd have to specify the full path to that executable.
Might not tampering with temp files that get used by programs(*)
potentially (depending on the design and bugs in the program) allow
for a security hole of some sort to be exploited, and hence leaving
a lax-guarded, easy-to-get-into user account, even a "nobody" account
with no privilege at all is still a dangerous thing to do? Am I right
on that?
(*) note that write permissions are there for everybody.
That's another function of the sticky bit ;-) You (not being the
owner) of the file can't mess with it unless the owner set the
permissions on the file to be world writable - not likely, as that
is another well known security problem.
however if one uses something else to run the daemons instead I
would not think all that much damage to the system could be done
from a comp'd nobody account.
Yeah, but instead they would be able to run crap as "something else"
what-ever that might be.
Not unless there's accounts for each and every daemon, in which case
only that one daemon could be manipulated unless all the other
accounts are compromised as well.
The point is that _every_ application, be it a user running 'ls', an
MTA like sendmail, or the terminal program running a getty waiting for
someone to log in - they ALL are being run by some "user", which might
be me, the "mail" daemon, or "root". There's nothing special about
a daemon or task being run by "nobody" other than the fact that they
can be run with less privilege than other daemons.
You seem to be in the USA, so try wandering down to a good library
and see if you can find a copy of "Practical UNIX & Internet
Security, 3rd edition" by Simson Garfinkel, Gene Spafford, and
Alan Schwartz
Would they have it at a library as small as the one I have here in
this little resort town of only 2000 people? Not everyone lives in a
big city and makes or has access to $30,000 a year, you know.
You'd have to ask, but virtually every library in the US has an
"Inter-Library Loan" program, where they can get a copy from some
other library who has one. In my experience, there is no charge to you
(the borrower) for this service, though it may take a week for the
book to arrive. Comes in VERY handy. I use it several times a year
because the local branch library has such a limited selection.
PS. An academic library (college/ university library) -- the type
where one would likely find that stuff, is around 100 miles away and
gas is not cheap these days.
The libraries here use USPS, or a package service like UPS or FedEx
(ground in both cases), so the cost to them is minimal. For USPS, the
"book rate" for that book (just under 3 pounds) is US$2.26.
Then too, that book appears to be on the Safari program at O'Reilly,
so you may be able to join that program and read it on-line.
Old guy
.
- Follow-Ups:
- Re: Compromise of the nobody account?
- From: Barry Margolin
- Re: Compromise of the nobody account?
- From: mike3
- Re: Compromise of the nobody account?
- References:
- Compromise of the nobody account?
- From: mike3
- Re: Compromise of the nobody account?
- From: Moe Trin
- Re: Compromise of the nobody account?
- From: mike3
- Compromise of the nobody account?
- Prev by Date: Re: Compromise of the nobody account?
- Next by Date: Re: Compromise of the nobody account?
- Previous by thread: Re: Compromise of the nobody account?
- Next by thread: Re: Compromise of the nobody account?
- Index(es):
Relevant Pages
|
|
