Re: New user for logcheck
>>>>> "Michael" == Michael Stone <mstone@debian.org> writes:
Michael> Could you be more specific about the security hole
Michael> possibilities of signalling? I'm not seeing anything
Michael> critical in that. I maintain that it's well worth
Michael> examining any new userids very carefully, since we don't
Michael> currently have a decent method for managing them. If that
Michael> changes there won't be any problem with handing them out
Michael> loosely, but until then they're a headache.
I will assume you read my entire message
<84pux4g36p.fsf@snoopy.apana.org.au>, including the comment I quoted
from Wichert Akkerman <wichert@cistron.nl>, in
<19991114141645.A18489@mors.net>. If not, it would be easy to get a
copy...
I have mailed a copy of this message to Wichert, as he seemed
to have a better idea then me of the problems that could occur.
Lets assume that ircd and X runs as user ID nobody. Also, lets
assume that none of these programs have any writable or secret files.
Also assume that program X is insecure, and I have broken into it,
and got shell access as user nobody.
What can I do?
ps -auwx | grep ircd # get PID of ircd, assume it is 50
kill 50 # denial of service attack
kill -9 50 # worse then above(?)
strace -p 50 # view everything IRC does including
any passwords that it may get.
These are the main ones I am aware of - I am sure that there are
others. eg, I think you could change the "nice" value of ircd, view
information under /proc/50 (thats normally private), etc.
This attacks are reasonably tame, because no one expected IRC to be
too secure anyway. However, consider a program like Samba - it has the
configuration option (by default) "guest account = nobody". This
could be a bigger problem (not that I have investigated it, as I can't
remember how to log in as "guest").
PS: Somewhere along the line the Reference: header is being mangled
on my incoming mail, it should be:
References: <3836C7B8.79F77BE0@vianova.at> <19991124063543.F19105@justice.loyola.edu>
but instead is:
References: <3836C7B8.79F77BE0@vianova.at>
which completely messes up threading. I think this is a problem with
my mail2news gateway - could somebody please confirm that it looks OK?
Thanks.
--
Brian May <bam@debian.org>
Reply to: