[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: publish a user & passwd: $1000 hack reward!

On Fri, Feb 23, 2001 at 09:57:30AM -0500, Steve Rudd wrote:
> Hi! Steve Rudd with more "disconsolate mumbling" (great term <g>)
> So if I did publish a user name and password (not that I would) that had 
> pop 3 and ftp access with no shell access and was restricted to public html 
> directories, is that a risk to the rest of the system? A standard public 
> box has hundreds of public users and passwords, so there is really very 
> little difference between the $1000 contest of publishing the user name and 
> passwd and not.
> Is this not secure?
> Steve

 If someone finds a bug in your pop3 or ftp server daemon, and the bug is in
code that only runs after a user has logged in, then the only people at risk
will be those with anonymous FTP services, or silly people who publish
usernames and passwords :->

 You always want to have multiple layers of security.  One of these layers
is usually a bit of obscurity.  The people who say "security by obscurity is
bad" mean that it is bad when it is the _only_ security measure.  Keeping
things secret makes you a harder target, so crackers will be more likely to
give up before finding anything they can crack.

 In theory, as long as you have everything set up to not trust the contents
of a user's public_html at all, you should be ok.  If you allow execution of
CGI programs from public_html, then users will be able to execute code
(probably under their UID).  Then you have to secure your machine against
local exploits.  Obviously, you should do this anyway, but if crackers can
run arbitrary code (as a non-priviledged user), then you will have to act
really fast to stop yourself from getting cracked whenever a new local
exploit is discovered.

 Note that if you allow execution of arbitrary CGI programs, the CGI program
could do anything, including start a shell listening on a TCP port, or even
sshd, for someone to connect to.  Allowing arbitrary CGI is equivalent to
giving public shell access.

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to: