[olug] Scripting
Brian Roberson
brian at bstc.net
Sat Nov 18 17:34:32 UTC 2000
---- Original Message -----
From: "Mark A. Martin" <mmartin at amath.washington.edu>
To: <olug at bstc.net>
Sent: Saturday, November 18, 2000 8:20 AM
Subject: Re: [olug] Scripting
> I'm not at all trying to dis Brian but there are a few security problems
> in what he outlined that you should be aware of. He indicated one of
> them in his comments. I'd like to point them out and suggest ways of
> fixing them.
Easy hoss ;-)
>
> As Brian suggests in his comment, you need to come up with a scheme to
> introduce randomness in your passwords. As he implies, you should not
> use the date to do this, as he does in his example. The date is easily
> guessed, which could lead to someone cracking your passwords. (The
> possibility of cracking is greatly magnified because you are generating
> so many passswords.) A better approach is to use the checksum of the
> output from rapidly varying system information such as the output of ps,
> which a cracker on the outside would not have access to and which a
> local user would have trouble capturing at the same moment that you're
> using it. There is an example of this on pp 223-4 of the 2nd edition of
> "Programming Perl" in the discussion of the srand function. (Sorry, I
> haven't able to afford the 3rd edition yet.) The documentation for
> srand in the perlfunc section of the HTML version of the perl manual
> contains the same discussion. The perl manual is probably on your
> system under /usr/doc. (The relevant page is located at
> /usr/doc/perl-5.00503/manual/pod/perlfunc/srand.html on my system.)
>
subst((rand) 0, 4);
..... much better example
>
> Another security problem with Brian's example is that it doesn't set
> permissions on the new password file and builds the new file in /tmp,
> which is world writable. Someone with an account on your system who
^^^^^^^^^^^^^^
Wrong, I have never seen a *NIX distribution with a umask set to 000 (
unless someone explicitly set's it that way ) that said, normally if you are
root, the umask is set to 022 making it group/world readable only.
> wanted to gain access to other accounts could possibly
>
> i) get a copy of all or part of the new password file between the times
> when
> the script begins building the file in /tmp and moves it to
> /etc/passwd
>
> or
>
> ii) replace /tmp/newpasswd with their own version of the passwd file
> after
> the new version is written and before it is moved
>
The deal is that if the password file is shadowed, the root password is not
in the passwd file so there WONT be a password in the new temporary password
file.
> depending on the file creation mode mask of the parent shell running the
> script. Either one of these may take a few tries with a script but they
> are fairly easily done. It only takes retrieving a portion of the
> password file to compromise your system. To prevent this, you may want
> to set permissions on /tmp/newpasswd so that only the user of the script
> can read or write to the file or create the new password file in a
> directory that other users on the system cannot access. If /etc/passwd
> is world readable, as it is on most systems, someone could also copy the
> password file before it is shadowed. So, you may want to make sure that
> /etc/passwd is not world readable. (Of course, this could cause
> conniptions in other programs on your system that use /etc/passwd, if
> there are any.)
WRONG!!! BAD!!!!
/etc/passwd must ALWAYS be world readable, with or without shadowed
passwords. the file that should not be world readable if you ARE using
shadowed passwords is /etc/shadow
if /etc/passwd is not world readable, you will BREAK alot of stuff!!
Just as a side note.... when I wrote the original reply, I was havily
intoxocated, so dont take everything in it literally, I thought I put a
similar disclaimer in the orignal post.
;-)
--Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list