Re: New user for logcheck

To: debian-devel@lists.debian.org
Cc: Wichert Akkerman <wichert@cistron.nl>
Subject: Re: New user for logcheck
From: Brian May <bam@debian.org>
Date: 25 Nov 1999 19:09:47 +1100
Message-id: <844sebxa9g.fsf@snoopy.apana.org.au>
In-reply-to: mstone@debian.org's message of "24 Nov 99 11:35:43 GMT"
References: <3836C7B8.79F77BE0@vianova.at> <19991124063543.F19105@justice.loyola.edu>

>>>>> "Michael" == Michael Stone <mstone@debian.org> writes:

    Michael> Could you be more specific about the security hole
    Michael> possibilities of signalling? I'm not seeing anything
    Michael> critical in that. I maintain that it's well worth
    Michael> examining any new userids very carefully, since we don't
    Michael> currently have a decent method for managing them. If that
    Michael> changes there won't be any problem with handing them out
    Michael> loosely, but until then they're a headache.

I will assume you read my entire message
<84pux4g36p.fsf@snoopy.apana.org.au>, including the comment I quoted
from Wichert Akkerman <wichert@cistron.nl>, in
<19991114141645.A18489@mors.net>. If not, it would be easy to get a
copy...

I have mailed a copy of this message to Wichert, as he seemed
to have a better idea then me of the problems that could occur.

Lets assume that ircd and X runs as user ID nobody. Also, lets
assume that none of these programs have any writable or secret files.
Also assume that program X is insecure, and I have broken into it,
and got shell access as user nobody.

What can I do?

ps -auwx | grep ircd          # get PID of ircd, assume it is 50

kill 50                       # denial of service attack

kill -9 50                    # worse then above(?)

strace -p 50                  # view everything IRC does including
                                any passwords that it may get.

These are the main ones I am aware of - I am sure that there are
others. eg, I think you could change the "nice" value of ircd, view
information under /proc/50 (thats normally private), etc.

This attacks are reasonably tame, because no one expected IRC to be
too secure anyway. However, consider a program like Samba - it has the
configuration option (by default) "guest account = nobody".  This
could be a bigger problem (not that I have investigated it, as I can't
remember how to log in as "guest").


PS: Somewhere along the line the Reference: header is being mangled
on my incoming mail, it should be:

References: <3836C7B8.79F77BE0@vianova.at> <19991124063543.F19105@justice.loyola.edu>

but instead is:

References: <3836C7B8.79F77BE0@vianova.at>

which completely messes up threading. I think this is a problem with
my mail2news gateway - could somebody please confirm that it looks OK?
Thanks.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: New user for logcheck
  - From: Herbert Xu <herbert@gondor.apana.org.au>
- Re: New user for logcheck
  - From: Michael Stone <mstone@debian.org>

References:
- New user for logcheck
  - From: Rene Mayrhofer <rene.mayrhofer@vianova.at>
- Re: New user for logcheck
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: apt sugestion
Next by Date: Re: dupload problem
Previous by thread: Re: New user for logcheck
Next by thread: Re: New user for logcheck
Index(es):
- Date
- Thread