Re: Compromise of the nobody account?

On Wed, 30 Jan 2008, in the Usenet newsgroup comp.security.unix, in article
<0b339798-926b-4739-a81b-2f03a7d34128@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, mike3
wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

So what would happen if the administrator saw all sorts of programs
running as "nobody", anyway, programs that didn't otherwise do so?
Like lots of instances of "ping", for example, or something?

"nobody" would normally be seen during the wee hours, as most systems
would only be using the account for 'cron' tasks. Thus, any tasks
running as "nobody" during other times would raise a flag. Likewise,
any user running multiple instances of a command may be suspicious.
It's going to depend on "what is ''normal'' on the system".

User "nobody" (like every other user) may exploit an unpatched
or unknown security hole. Most UNIX admins take precautions that the
number of such holes is minimized.

How would that be done?

You'd want to read Bugtraq for that.

So, just as you wouldn't do something like that, why would anyone
do something equally senseless and disable or reduce the existing
protections of a computer?

No, I wouldn't do that. I was just asking.

But that's an important point. Most *nix come with _reasonably_ sane
defaults - one of which is that the obvious boners aren't enabled.
UNIX is meant to be "professionally maintained", and that means the
administrators actually have some knowledge of what they are doing.
To paraphrase something seen posted elsewhere "being a [UNIX
administrator] is not an entry level skill, but it can easily be an
exit level skill." You avoid that problem by staying up to date and
knowing why your system was set up so.

They are all restricted accounts, and belong to an unused group, and
in most cases own no assets. As such, they are no more useful to a
cracker than the "nobody" account. ALL of these accounts are much
less useful than access to the "ordinary" user accounts, which
actually do have a password, and are likely to be allowed to log in
from outside the computer (unlike the system accounts).

But is there a way that a cracker could try and access it from
outside, barring some sort of security flaw in the OS itself?

Try? Sure. Succeed? No. As you can't log in as the accounts, the
only thing that might be worth trying is to knock over a network
service that is running as a user, and hope that it gives you a shell
when it breaks. This might (for example) involve sending a specially
crafted packet to the server. Barry suggested trying to find something
running out of inetd. On one system I have here, I see

[van-allen ~]$ grep nobody /etc/inetd.conf
#time stream tcp nowait nobody /usr/sbin/tcpd in.timed
#time dgram udp wait nobody /usr/sbin/tcpd in.timed
#auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -n
[van-allen ~]$

and there are only three services, all of which are disabled. So that's
not going to work. Actually in todays world, I'd expect to find not all
that many services running. Gone are the days when your average system
had several dozen services open by default.

Old guy
.