Re: Compromise of the nobody account?

In article <slrnfpqddf.vm.ibuprofin@xxxxxxxxxxxxxxxxx>,
ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) wrote:

On Sun, 27 Jan 2008, in the Usenet newsgroup comp.security.unix, in article
<aG3nj.30527$yQ1.2254@edtnps89>, Unruh wrote:

(Moe Trin) writes:

[compton ~]$ grep nobody /etc/passwd
nobody:*:99:99:Nobody:/:/bin/true
[compton ~]$ grep nobody /etc/group
nobody:*:99:
[compton ~]$

Below

I think he may be being confused by, for example, nfs making the user
root into the user nobody when accessing nfs mounted files. Thus he
sees evidense of nobody trampling around and is worried that it is a
breaking.

I didn't interpret it that way at all. A much more common scenario is
to discover "nobody" running a cronjob like 'makewhatis' or 'updatedb'
which generates lots of load, and has caused untold number of posts
asking if the box has been r00ted. This is especially common on a
non-24/7 box that is running an appropriate cron-daemon like 'anacron'
or 'fcron' (which run jobs some specified time after booting).

He also mentioned daemons in one of his replies. "grep nobody
/etc/inetd.conf" and you'll probably find a few of them. However, since
these are run by inetd, they aren't permanent daemon processes; they
start up when a connection comes in, do their work, and then exit. So
you'd have to be very quick to catch them while they're running.

Most of these daemons are pretty trivial, there's little you can do to
interfere with them, and they're not used for anything system-critical.
For instance, if you run a finger daemon it's common to run it as
nobody, so that only world-readable .plan files can be displayed. The
worst you could do to this daemon if you had a "nobody" shell would be
to attach a debugger process to it, and then you could make it return
anything you want to the client. But no one would use finger for
anything really important, so what's the big deal?

--
Barry Margolin, barmar@xxxxxxxxxxxx
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
.

Relevant Pages

  • Re: Compromise of the nobody account?
    ... The administrator assigned "nobody" to have whatever shell is ... As far as the shell is concerned, ... Not that many systems use nobody to run a daemon. ... served going after one of the user accounts. ...
    (comp.security.unix)
  • Re: mount USB flash drive on Unix
    ... > rgc@nodomain.none (Roy Culley) writes: ... >>You mean that daemon that automatically mounted CD's? ... >>floppies if my I remember correctly. ... > Nobody in their right minds puts a Unix file system on a floppy. ...
    (comp.os.linux.misc)
  • Re: mount USB flash drive on Unix
    ... > rgc@nodomain.none (Roy Culley) writes: ... >>You mean that daemon that automatically mounted CD's? ... >>floppies if my I remember correctly. ... > Nobody in their right minds puts a Unix file system on a floppy. ...
    (comp.unix.solaris)
  • Re: mount USB flash drive on Unix
    ... > rgc@nodomain.none (Roy Culley) writes: ... >>You mean that daemon that automatically mounted CD's? ... >>floppies if my I remember correctly. ... > Nobody in their right minds puts a Unix file system on a floppy. ...
    (comp.unix.shell)
  • Re: Firewall security: Re: Problems with simple Samba file share
    ... > There's a buffer overflow bug in the foobah daemon. ... Nobody has ever ...
    (comp.os.linux.misc)