[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: [cobalt-security] Local Root exploit
- Subject: Re: FW: [cobalt-security] Local Root exploit
- From: Eugene Crosser <crosser@xxxxxxxxxxx>
- Date: 23 Sep 2002 16:32:34 +0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Mon, 2002-09-23 at 16:03, Michael Stauber wrote:
> > Under "regular" apache you will be unable to use
> > PAM authentication because /etc/shadow will become unreadable. E.g. you
> > won't be able to access /stats/ directories of individual virtual
> > servers.
>
> Depends on. Remember that OS restored RaQs usually have improper permissions
> on /etc/shadow and /etc/passwd. So unless the admin there fixed the shadow
> permissions manually the authentication will still work, despite
> /usr/lib/authenticate no longer being SUID.
If an admin has /etc/shadow world-readable than he is in trouble almost
as bad as exploitable /usr/lib/authenticate ;-)
> Example from an OS restored box with improper permissions:
>
> ls -la /etc/passwd /etc/shadow
> -rw-r--r-- 1 root root 9839 Sep 18 23:55 /etc/passwd
> -rw-rw-r-- 1 root root 6487 Sep 18 23:55 /etc/shadow
>
> Proper permissions:
>
> ls -la /etc/passwd /etc/shadow
> -rw------- 1 root root 9839 Sep 18 23:55 /etc/passwd
> -rw------- 1 root root 6487 Sep 18 23:55 /etc/shadow
Not exactly right. /etc/passwd *should* be world readable. The point
of separation of /etc/passwd and /etc/shadow back in ca. 1990 was to
protect password hashes while still letting non-proviledged processes
use getpw*() family of functions. That have lots of legitimate uses.
Eugene