Re: Why do system users have non-empty $HOME? (was Re: Why do system users have valid shells)

To: "Joe Moore" <joemoore@iegrec.org>, <debian-security@lists.debian.org>
Subject: Re: Why do system users have non-empty $HOME? (was Re: Why do system users have valid shells)
From: Russell Coker <russell@coker.com.au>
Date: Sat, 25 Oct 2003 05:08:38 +1000
Message-id: <[🔎] 200310250508.38328.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20781.146.122.45.164.1067013976.squirrel@www.iegrec.org>
References: <[🔎] 200310231158.15033.russell@coker.com.au> <[🔎] 20781.146.122.45.164.1067013976.squirrel@www.iegrec.org>

On Sat, 25 Oct 2003 02:46, Joe Moore wrote:
> > To create a file in /bin you need root access.  Therefore to create
> > /bin/.rhosts you need more access than such a file will grant.  There
> > is no  point in such an attack.  Why would someone create /bin/.rhosts
> > when they can  create /root/.rhosts?
>
> There are many programs that use files in the target user's home directory
> for authentication.  rsh and ssh are two common examples.  Many of these
> programs would not be hindered by an invalid shell.  That's why I
> originally said that the home directory is more important than what is in
> the seventh field of /etc/passwd.  I should not have made my comment
> specific to UID2.

Which goes back to my previous question, what do you think it should have as 
the home directory then?

> As to why someone would create /bin/.rhosts rather than /root/.rhosts,
> perhaps a sysadmin has mistakenly allowed "sudo cp * /bin" for a user who
> normally installs software?

In which case they could install a trojan /bin/bash and get access to every 
account.

> Ok, that's a rather artificial example, but
> how about a buggy game that that can drop a .rhosts file in /usr/games?

Again, a much more useful attack would be to replace a game with a trojan and 
to exploit every account that is used to run a game.  Maybe one of the 
fortune-cookie type packages puts a binary in there which can be run at login 
time...

> Or
> a buggy manpage that drops a .rhosts file in /var/cache/man?

That is something that could be usefully changed.

> > Does bin even own ANY files or have write access to ANY directories on
> > a  default install?  From a quick look it seems that account "bin" gets
> > no write  access to anything on a Linux system.
>
> If "bin" has no valid password, owns no files, runs no processes, and can
> write to no directories, then why does "bin" exist at all?

Beats me.  Compatability I guess.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Re: Why do system users have non-empty $HOME? (was Re: Why do system users have valid shells)
  - From: "Joe Moore" <joemoore@iegrec.org>

References:
- Re: Why do system users have valid shells
  - From: Russell Coker <russell@coker.com.au>
- Why do system users have non-empty $HOME? (was Re: Why do system users have valid shells)
  - From: "Joe Moore" <joemoore@iegrec.org>

Prev by Date: Re: Why do system users have valid shells
Next by Date: Re: Why do system users have valid shells
Previous by thread: Why do system users have non-empty $HOME? (was Re: Why do system users have valid shells)
Next by thread: Re: Why do system users have non-empty $HOME? (was Re: Why do system users have valid shells)
Index(es):
- Date
- Thread