[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SFTP on Raq4 as Root?

Subject: Re: [cobalt-security] SFTP on Raq4 as Root?
From: "Zeffie" <cobalt-secur@xxxxxxxx>
Date: Sat, 4 Aug 2001 06:59:07 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Not pretending to be an expert in such matters, but I'd have said that the
> majority of people who crack machines wouldn't do something as drastic as
> removing 'su', as most of them would prefer to hide from the admins rather
> than making their presence known.  'su' can be replaced, after all.

yep I forgot to make that point....  "They" want time to run things and it's
not untill "they" don't care anymore that they do damage....

> I think that Stephen was also eluding to the fact that it's not possible
> for joe.user to su to root (unless you change the default setup), due to
> the way wheel is set up.  This means that you do in effect have a two
> tiered security model, as you must obtain a password within the wheel
> group before you can even think about 'su'ing.

right but the cobalt default is for admin/root to use the same passwd....
and if someone gets/cracks/whatever the admin pw then that account provides
no added security

<snip>
> > Aparently you have a problem determining who and when your logins
happen.  I
> > get a message for every attempt... every login, and that's followed by a
> > "disconnected" message....
>
> That's not quite true.

no really I do :)

 Like any sensible admin I ensure that everything I
> think is of importance gets logged and that I read the log 'highlights'
> daily.  Even so, I don't consider logs to be protection.  While they
> may inform me that there's a brute force attack in progress, in
> practice I've never seen one of these, and I don't think anyone would
> consider running one these days as it would take far too long to try a
> decent number of passwords.  It's far easier to use an exploit, or at the
> most, obtain a copy of a password file and run a cracker over it.  That
> brings up another point.  Many systems have 'untrusted' user accounts on
> them - that is, users who do not work for the company that owns the
> computer.  In this situation, if one of these users were to take a copy of
> the password file, run a cracker on the root password and successfully
> obtain it, they would be able to SSH in as root if this were not disabled.

they would own every account on the box if they wanted...  root access would
only mean that they wouldn't have to su....  They would get all the passwd's
not just root's

> > > In answer to the "deleting su" point, if somone can delete your copy
of su,
> > > they can most likely also change your root password, locking you out
of
> > > your own box anyway. Whether you permit remote root login or not is
> > > beside the point at this stage. Both of these problems can be fixed by
> > > local access to the machine. If you don't have this, then you have a
> > > problem, whatever happens.
> >
> > wrong... there is more then one way to access your box without being
> > there...  in fact...  I have root access with my "cell phone"....  It's
all
> > in what you want to do with your server....  and how you admin it....
>
> I really can't see what was wrong about Stephen's statement.
> Unfortunatly, there are some things which you require physical access to a
> computer for.  One that I see a fair bit is people forgetting to re-run
> lilo after installing a new kernel.  When the box hangs in the boot

ahh  these are cobalt servers.... they don't have lilo.... :)

> process, you've little choice but to go and fix it manually.  I'm
> confident that given the root password I could lock an admin out of their
> own box to the extent that they would need physical access.  I mean, I
> presume that your 'root via phone' is using some kind of shell server
> running over WAP.  It becomes a little less useful if an intruder were to
> stop the WAP server.

nope no wap server....  just a hole I took advantage of... and no I don't
think I will release the system I use.  The thought of people sitting around
scanning servers like a video game gives me the chills....  But it will
allow me to list/kill processes, nslookups, scanning, restart processes.....
I have about 70 functions planned and some more scripts to write...  the
only problem I have is with pipes.... (rpm -qa | grep kern)  oh and if it
stops it will restart, all by itself.... :)
I might change that however....

> Anyway, I can see that we're just going to have to agree to differ, as my
> personal view is that root logins bring no tangible advantages, and while
> I'd hardly go to the extent of saying that they're a gaping security hole,
> I feel better off without them.

yeppers...  well it is something that everybody can decide on there own....
thats why it's an option....

Zeffie
http://www.zeffie.com/

Follow-Ups:
- Re: [cobalt-security] SFTP on Raq4 as Root?
  - From: John Bailey

References:
- Re: [cobalt-security] SFTP on Raq4 as Root?
  - From: John Bailey

Prev by Date: Re: [cobalt-security] .htaccess question
Next by Date: Re: [cobalt-security] SFTP on Raq4 as Root?
Previous by thread: Re: [cobalt-security] SFTP on Raq4 as Root?
Next by thread: Re: [cobalt-security] SFTP on Raq4 as Root?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index