[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Isn't it a security hole...

On Wed, 14 Aug 1996, Jerzy Kakol wrote:

> ...the attribute readable for others in case of the file /etc/passwd?
> Recently my debian system was cracked by several pirates. They have 
> account name and the password widely broadcasted on an IRC channel. The 
> only way, as I guess, they grabed root's privilages was free access to 
> /etc/passwd.
> Is there a free and debianized shadow-password package?
> TIA.
>     Jerzy Kakol

I know there is a shadow password system for linux and there may
in fact be a .deb for that package.

These are typical permissions for /etc/passwd:

-rw-r--r--    1 root     sys         1309 Jun 25 15:05 /etc/passwd

That's right, readable by all. The protection in the original
passwd mechanism doesn't come from hiding the cipher text, that field
is the result of a one-way hash and cannot be effectively decrypted.
(In fact the one-way hash makes it impossible for the "rubber hose
cryptanalyt" to beat the passwords out of you or another sys admin.)

If your passwords are good even if an attacker gets your /etc/passwd
they won't find anything by craking it (dictionary attack). You may
want to have passwords checked before they are hashed into /etc/passwd
using anlpasswd or the like with the biggest baddest dictionary files
you can find. The anlpasswd program replaces passwd or yppasswd, though
this isn't obvious to your users.

If your system has been compromised, or is likely to be, you will
probably want to restore it from a known good backup (or, better yet, 
reinstall) and run Tripwire (or a similar tool) to be sure of integrity 
in the future. Even if you fixed the root password you probably have no
idea what else the intuders may have done to keep a back door open.
Don Gaffney (http://www.emba.uvm.edu/~gaffney)
Engineering, Mathematics & Business Administration Computer Facility
University of Vermont - 237 Votey Building - Burlington, VT  05405
(802) 656-8490 - Fax: (802) 656-8802

Reply to: