Re: Compromise of the nobody account?

In article <slrnfq2es2.lca.ibuprofin@xxxxxxxxxxxxxxxxx>,
ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) wrote:

On Wed, 30 Jan 2008, in the Usenet newsgroup comp.security.unix, in article
<0b339798-926b-4739-a81b-2f03a7d34128@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, mike3
wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

I think we got this the first 5 times you posted it in this thread.
Obviously the OP isn't going to switch right away.

So what would happen if the administrator saw all sorts of programs
running as "nobody", anyway, programs that didn't otherwise do so?
Like lots of instances of "ping", for example, or something?

"nobody" would normally be seen during the wee hours, as most systems
would only be using the account for 'cron' tasks. Thus, any tasks
running as "nobody" during other times would raise a flag. Likewise,
any user running multiple instances of a command may be suspicious.
It's going to depend on "what is ''normal'' on the system".

User "nobody" (like every other user) may exploit an unpatched
or unknown security hole. Most UNIX admins take precautions that the
number of such holes is minimized.

How would that be done?

You'd want to read Bugtraq for that.

How do you minimize the number of UNKNOWN security holes? :)


So, just as you wouldn't do something like that, why would anyone
do something equally senseless and disable or reduce the existing
protections of a computer?

No, I wouldn't do that. I was just asking.

But that's an important point. Most *nix come with _reasonably_ sane
defaults - one of which is that the obvious boners aren't enabled.
UNIX is meant to be "professionally maintained", and that means the
administrators actually have some knowledge of what they are doing.
To paraphrase something seen posted elsewhere "being a [UNIX
administrator] is not an entry level skill, but it can easily be an
exit level skill." You avoid that problem by staying up to date and
knowing why your system was set up so.

That's a reasonable expectation for production Unix servers. But these
days there are lots of desktop Linux systems. While people who choose
Linux are likely to be more competent than typical Windows users,
expecting them to be experienced system administrators is a bit much.
Probably lots of them are like the OP.

--
Barry Margolin, barmar@xxxxxxxxxxxx
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
.