Re: A question about Knark and modules

To: debian-security@lists.debian.org
Subject: Re: A question about Knark and modules
From: Ethan Benson <erbenson@alaska.net>
Date: Tue, 19 Jun 2001 23:22:31 -0800
Message-id: <[🔎] 20010619232231.R417@plato.local.lan>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 87y9qnu1rs.fsf@hackerhue.ddts.net>; from hackerhue@geek.com on Wed, Jun 20, 2001 at 12:02:47AM -0600
References: <_dHYHB.A.a0.sopL7@murphy> <p0432040db754b69b642f@[192.168.1.2]> <[🔎] 20010619003405.C417@plato.local.lan> <[🔎] 871yog2u7s.fsf@hackerhue.ddts.net> <[🔎] 20010619155024.O417@plato.local.lan> <[🔎] 87y9qnu1rs.fsf@hackerhue.ddts.net>

On Wed, Jun 20, 2001 at 12:02:47AM -0600, Hubert Chan wrote:
> >>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes:
> 
> Ethan> echo 'eb::0:0:Ethan Benson:/home/eb:/bin/bash' > /etc/passwd.d/eb
> 
> Ethan> login wheeeee r00t!
> 
> Hmm.  Forgot about that.  I guess that would be a bit of a security
> hole. :-(
> 
> Ethan> it would be a nightmare to administer.
> 
> I don't think so.  Does the administrator need to really do much with
> the password database, once a user gets set up?  If you want to audit
> the database, you can always just do "cat /etc/passwd.d/* | less".
> And the administrative programs (usermod, chsh, etc.) shouldn't be too
> hard to modify.  Is there anything else that you would want to do?

*.d kludges have gotten WAY out of control.  they are useful in very
small and limited circumstances, but all the crap redhat and friends
have kludged together with them is rediculous.  

there are hundreds of ways to adminisister the /etc/passwd file as it
is now, all of them would break (or become more complicated) with this
silly passwd.d nonsense.

> Well, obviously my proposed scheme wouldn't work (because of the
> previously mentioned exploit), but the motivation behind the scheme was
> to reduce the number of SUID programs (because if you don't need it to
> be SUID, you're safer without it being SUID).  Is there any (sane) way
> of making it so that programs such as passwd, chsh, etc. don't need to
> be SUID?

no, they have to be privileged to write the passwd files, and the
passwd files must only be writable by root otherwise you can trivially
get root.  

chown passwd /etc/passwd and making all these binaries setuid passwd
instead of root would also do you no good since once you can write
/etc/passwd you can change roots passwd, or add a new uid=0 account.  

the proper solution is thoroughly auditing the setuid code, and doing
your best to keep it as small and simple as possible.   the current
shadow utils have accomplished this pretty well.  there haven't been
any exploits in passwd and such in a long time. 

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpDerpAAWeZG.pgp
Description: PGP signature

Reply to:

References:
- Re: A question about Knark and modules
  - From: Christian Jaeger <christian.jaeger@sl.ethz.ch>
- Re: A question about Knark and modules
  - From: Ethan Benson <erbenson@alaska.net>
- Re: A question about Knark and modules
  - From: Hubert Chan <hackerhue@geek.com>
- Re: A question about Knark and modules
  - From: Ethan Benson <erbenson@alaska.net>
- Re: A question about Knark and modules
  - From: Hubert Chan <hackerhue@geek.com>

Prev by Date: Re: A question about Knark and modules
Next by Date: Re: gnupg problem
Previous by thread: Re: A question about Knark and modules
Next by thread: Re: A question about Knark and modules
Index(es):
- Date
- Thread