[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SFTP on Raq4 as Root?

Subject: Re: [cobalt-security] SFTP on Raq4 as Root?
From: John Bailey <support@xxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 4 Aug 2001 10:55:40 +0100 (BST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi All,

> > To be honest, if "Mr BadGuy" has root privilege on your box, that's the
> > least of your worries!
>
> Actually it's going to be your first thing to worry about.... Remember...

Not pretending to be an expert in such matters, but I'd have said that the
majority of people who crack machines wouldn't do something as drastic as
removing 'su', as most of them would prefer to hide from the admins rather
than making their presence known.  'su' can be replaced, after all.

> > Why do you think Raqs have this two-level admin user setup?
>
> the Raq's are based on redhat..  And thats why they are the way they are.

I think that Stephen was also eluding to the fact that it's not possible
for joe.user to su to root (unless you change the default setup), due to
the way wheel is set up.  This means that you do in effect have a two
tiered security model, as you must obtain a password within the wheel
group before you can even think about 'su'ing.

> It's a risk to drive your car...  It's a risk to walk down the street...

Yeah, but that's why I wear my seatbelt and look both ways before I cross
the street.  Minimising risks is a good thing.

> > It's a more secure and more accountable solution to
> > only allow remote login on unprivileged acounts, then su to root from there
> > as it narrows the path of attack to the system, requiring more than one
> > password breach, and you also have a bit more clue as to who just logged
> > in as root.
>
> Aparently you have a problem determining who and when your logins happen.  I
> get a message for every attempt... every login, and that's followed by a
> "disconnected" message....

That's not quite true.  Like any sensible admin I ensure that everything I
think is of importance gets logged and that I read the log 'highlights'
daily.  Even so, I don't consider logs to be protection.  While they
may inform me that there's a brute force attack in progress, in
practice I've never seen one of these, and I don't think anyone would
consider running one these days as it would take far too long to try a
decent number of passwords.  It's far easier to use an exploit, or at the
most, obtain a copy of a password file and run a cracker over it.  That
brings up another point.  Many systems have 'untrusted' user accounts on
them - that is, users who do not work for the company that owns the
computer.  In this situation, if one of these users were to take a copy of
the password file, run a cracker on the root password and successfully
obtain it, they would be able to SSH in as root if this were not disabled.
By using wheel and disallowing root logins, this password is of more
limited use, unless they can get their hands on a wheel user password too,
which there's not much you can do about.

> > In answer to the "deleting su" point, if somone can delete your copy of su,
> > they can most likely also change your root password, locking you out of
> > your own box anyway. Whether you permit remote root login or not is
> > beside the point at this stage. Both of these problems can be fixed by
> > local access to the machine. If you don't have this, then you have a
> > problem, whatever happens.
>
> wrong... there is more then one way to access your box without being
> there...  in fact...  I have root access with my "cell phone"....  It's all
> in what you want to do with your server....  and how you admin it....

I really can't see what was wrong about Stephen's statement.
Unfortunatly, there are some things which you require physical access to a
computer for.  One that I see a fair bit is people forgetting to re-run
lilo after installing a new kernel.  When the box hangs in the boot
process, you've little choice but to go and fix it manually.  I'm
confident that given the root password I could lock an admin out of their
own box to the extent that they would need physical access.  I mean, I
presume that your 'root via phone' is using some kind of shell server
running over WAP.  It becomes a little less useful if an intruder were to
stop the WAP server.

Anyway, I can see that we're just going to have to agree to differ, as my
personal view is that root logins bring no tangible advantages, and while
I'd hardly go to the extent of saying that they're a gaping security hole,
I feel better off without them.

Regards,

John.

Follow-Ups:
- Re: [cobalt-security] SFTP on Raq4 as Root?
  - From: Zeffie

References:
- Re: [cobalt-security] SFTP on Raq4 as Root?
  - From: Zeffie

Prev by Date: [cobalt-security] .htaccess question
Next by Date: Re: [cobalt-security] .htaccess question
Previous by thread: Re: [cobalt-security] SFTP on Raq4 as Root?
Next by thread: Re: [cobalt-security] SFTP on Raq4 as Root?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index