also sprach Adam Warner <lists@consulting.net.nz> [2002.01.20.0245 +0100]:
> If the use of switch user has remote security implications I want to
> be able to understand them. The same as I want to be able to
> understand if leaving a root console open has remote security
> implications. Don't worry about local physical access. I want everyone
> to assume this is impossible. You have to assume this is impossible to
> not get sidetracked.
the point is that you can't assume that. i hold network security
seminars on a regular basis, and i research the facts every single time
as well as possible, just to deliver the most accurate info to my
students. excuse me if i can't provide you with a source (it was CERT),
but my notes from the seminar that i was to hold today (it was canceled)
state that 76% of all attacks are internal, and that around 40% of those
are physical attacks, the remaining 60% are network attacks.
okay, we are getting sidetracked, but local physical access is never
impossible. and it's all too often a factor that is ignored.
nevertheless, leave a root console open on a production machine really
just calls for trouble. imagine you are about to head for lunch with a
friend, but you decide to check something in the server room quickly.
while you stare at your Annex ports or your Cisco switch, your friend
idles around and notices the root console. had there not been a root
console, he would have never thought of doing what he now does, but
since the prompt "#" is so inviting, he takes all of 20 seconds to
install a backdoor in the system, binding a shell to a high port,
installing his RSA identity.pub in /root/.ssh, scp'ing/email'ing
/etc/shadow to himself etc.
> > no. he'd have to steal your actual tty session, and if all you are
> > doing is surfing the web, then he can't really do that. however,
> > which browser are you using? are you running X? why not use
> > tty2-tty6 for a separate user login?
>
> Please don't worry about what else I could do. That's all sensible
> (unnecessary) advice. I want to understand this from a theoretical
> viewpoint. It gives me a "very weird feeling in my intestines" as well
> using su - to switch to a user account and I want to understand why.
if you use the console only, and lynx or w3m to browse the web, you
might be fine. if you start X as root, and run the browser as root, or
if you somehow start X in general, security issues pop up everywhere.
there's a reason why a server's a server and a workstation's a
workstation.
no, i can't give you a precise recipe or a definite this-is-how-it-is
answer, simply because this is what security is all about: there is no
right or wrong, there are simply gut feelings, and the good security
administrators have sensible guts. it's really what makes security
interesting and what keeps you young :)
> Can anyone provide a plausible scenario for how someone might be able
> to gain root level access because su - has been used to switch to a
> user account. Martin has already answered that your tty session would
> have to be stolen. How can you steal a tty session using only remote
> means?
you'd have to be more specific as to what you are doing locally. X or
not X? well, i guess that you're expecting a potential attacker not to
know this.
the only thing i can think of are escape sequences through /dev/tty,
which cause the local shell to be trashed and possibly made to execute
commands. whether you can harvest a privilege escalation from that,
well, i am sure you can. i don't have a recipe off-hand.
i just read ahead in the thread to see that someone else posted this
already. woops.
i think that you have a conceptual problem with what a server and a
workstation are, and their differences, and what a superuser account is
to be used for. in all but the rarest cases do production servers even
have local accounts, and if, then usually without shell access. yes, i
know that there are companies and institutions that provide shell
access, but they usually have dedicated servers for that.
i don't have the time to research and present an escalation exploit at
this moment, but i do want you to accept one point, which in itself will
already flaw your approach of handling login and usage of the
workstation. YOU DON'T LOGIN AS ROOT. period. it's a security matter and
it's an accounting thing. there's a reason why the group "wheel" exists
on traditional UNIX systems (*why* does Linux *not* have it); noone
without a local account should be allowed root, and it's good to know
who became root when; to become root, you have to know two passwords
*and* an account name.
you have it backwards. usually, you login as user and su to root.
logging in as root and su'ing to a user is the wrong way around. i even
think it's wrong to allow password-less su and suggest to disable it.
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
"when I was a boy I was told
that anybody could become president.
now i'm beginning to believe it."
-- clarence darrow
Attachment:
pgpHFpK_9r0JM.pgp
Description: PGP signature