Re: Bug#311772: Fwd: Password leaks are security holes
- To: "Giacomo A. Catenazzi" <cate@debian.org>, 311772@bugs.debian.org, Johan Walles <johan.walles@gmail.com>, debian-security@lists.debian.org, debian-security+ml@ngolde.de, 124294@bugs.debian.org
- Subject: Re: Bug#311772: Fwd: Password leaks are security holes
- From: Steve Langasek <vorlon@debian.org>
- Date: Thu, 28 Aug 2008 14:37:37 -0700
- Message-id: <[🔎] 20080828213737.GB3144@dario.dodds.net>
- Mail-followup-to: Steve Langasek <vorlon@debian.org>, "Giacomo A. Catenazzi" <cate@debian.org>, 311772@bugs.debian.org, Johan Walles <johan.walles@gmail.com>, debian-security@lists.debian.org, debian-security+ml@ngolde.de, 124294@bugs.debian.org
- In-reply-to: <[🔎] 20080828095549.GD4739@ngolde.de> <[🔎] 9b0752e70808280405m2aafc310r883526c6ee65e21c@mail.gmail.com> <[🔎] 48B65589.5080308@debian.org>
- References: <[🔎] 20080828095549.GD4739@ngolde.de> <[🔎] 9b0752e70808271228j33d116b6m8c5d19af201ee591@mail.gmail.com> <20080827203237.GB4739@ngolde.de> <[🔎] 9b0752e70808280003y3d40d0bjabd62e6a75c3071c@mail.gmail.com> <[🔎] 48B65589.5080308@debian.org> <[🔎] 9b0752e70808280405m2aafc310r883526c6ee65e21c@mail.gmail.com> <[🔎] 9b0752e70808271228j33d116b6m8c5d19af201ee591@mail.gmail.com> <20080827203237.GB4739@ngolde.de> <[🔎] 9b0752e70808280003y3d40d0bjabd62e6a75c3071c@mail.gmail.com> <[🔎] 48B65589.5080308@debian.org>
On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote:
> auth.log was invented for this reason, and separated to standard log:
> it should be readable only by root,
Then there is a bug in another package if this is what "should" be, because
/var/log/auth.log is readable by group adm on all my systems.
> Anyway root already has the capability to view passwords
> (i.e. by installing alternate login programs, sniffing tty, ...)
If the system uses MAC such as SELinux, this is not necessarily the case.
We should design for such future technologies, and not expose passwords
unnecessarily.
On Thu, Aug 28, 2008 at 01:05:19PM +0200, Johan Walles wrote:
> > auth.log was invented for this reason, and separated to standard log:
> > it should be readable only by root, because users do errors.
> It's readable by anybody with physical access to the hardware.
The logging we're talking about takes place in pam_unix. The normal
password store for pam_unix is /etc/shadow, which is on the hard drive; if
the user has physical access, they can run a password cracker against this
file anyway and try to grab *all* user passwords, not just those of users
who don't read before they type.
(It's true that the passwords are not in /etc/shadow for systems using
pam_unix together with NIS or NIS+, but I consider both NIS and NIS+ rather
uninteresting cases.)
> > So auth.log should log usernames, so that users don't do
> > wrong assumption that password are not accessible by root!
> I can see a point in logging *valid* usernames. Logging invalid
> usernames (which aren't unlikely to actually be passwords) is a
> security risk.
It provides information about username brute force attacks and other issues
of concern to admins.
On Thu, Aug 28, 2008 at 11:55:49AM +0200, Nico Golde wrote:
> Maybe this is the case but that's why this file is only
> readable for root and the adm group. So if an attacker is
> able to read this file you have way more problems as he
> wouldn't need to check the auth log for user errors but
> could just trace the login process, crack shadow, write a
> custom pam module or something similar to get your login
> credentials.
No, that's not true. The only added permission the 'adm' group has on
Debian is to be able to read log files; so this *does* expose passwords to
users who wouldn't otherwise be able to get at them.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Reply to: