[olug] Scripting

Brian Roberson brian at bstc.net
Sat Nov 18 17:34:32 UTC 2000


---- Original Message -----
From: "Mark A. Martin" <mmartin at amath.washington.edu>
To: <olug at bstc.net>
Sent: Saturday, November 18, 2000 8:20 AM
Subject: Re: [olug] Scripting


> I'm not at all trying to dis Brian but there are a few security problems
> in what he outlined that you should be aware of.  He indicated one of
> them in his comments.  I'd like to point them out and suggest ways of
> fixing them.
Easy hoss ;-)


>
> As Brian suggests in his comment, you need to come up with a scheme to
> introduce randomness in your passwords.  As he implies, you should not
> use the date to do this, as he does in his example.  The date is easily
> guessed, which could lead to someone cracking your passwords.  (The
> possibility of cracking is greatly magnified because you are generating
> so many passswords.)  A better approach is to use the checksum of the
> output from rapidly varying system information such as the output of ps,
> which a cracker on the outside would not have access to and which a
> local user would have trouble capturing at the same moment that you're
> using it.  There is an example of this on pp 223-4 of the 2nd edition of
> "Programming Perl" in the discussion of the srand function.  (Sorry, I
> haven't able to afford the 3rd edition yet.)  The documentation for
> srand in the perlfunc section of the HTML version of the perl manual
> contains the same discussion.  The perl manual is probably on your
> system under /usr/doc.  (The relevant page is located at
> /usr/doc/perl-5.00503/manual/pod/perlfunc/srand.html on my system.)
>

subst((rand) 0, 4);
..... much better example



>
> Another security problem with Brian's example is that it doesn't set
> permissions on the new password file and builds the new file in /tmp,
> which is world writable.  Someone with an account on your system who
^^^^^^^^^^^^^^

Wrong, I have never seen a *NIX distribution with a umask set to 000 (
unless someone explicitly set's it that way ) that said, normally if you are
root, the umask is set to 022 making it group/world readable only.


> wanted to gain access to other accounts could possibly
>
> i) get a copy of all or part of the new password file between the times
> when
>    the script begins building the file in /tmp and moves it to
> /etc/passwd
>
> or
>
> ii) replace /tmp/newpasswd with their own version of the passwd file
> after
>     the new version is written and before it is moved
>

The deal is that if the password file is shadowed, the root password is not
in the passwd file so there WONT be a password in the new temporary password
file.

> depending on the file creation mode mask of the parent shell running the
> script.  Either one of these may take a few tries with a script but they
> are fairly easily done.  It only takes retrieving a portion of the
> password file to compromise your system.  To prevent this, you may want
> to set permissions on /tmp/newpasswd so that only the user of the script
> can read or write to the file or create the new password file in a
> directory that other users on the system cannot access.  If /etc/passwd
> is world readable, as it is on most systems, someone could also copy the
> password file before it is shadowed.  So, you may want to make sure that
> /etc/passwd is not world readable.  (Of course, this could cause
> conniptions in other programs on your system that use /etc/passwd, if
> there are any.)

WRONG!!! BAD!!!!
/etc/passwd must ALWAYS be world readable, with or without shadowed
passwords. the file that should not be world readable if you ARE using
shadowed passwords is /etc/shadow
if /etc/passwd is not world readable, you will BREAK alot of stuff!!



Just as a side note.... when I wrote the original reply, I was havily
intoxocated, so dont take everything in it literally, I thought I put a
similar disclaimer in the orignal post.

;-)


--Brian


---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net



More information about the OLUG mailing list