[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Crack and cops



> 
> > Pardon my ignorance but what exactly are "crak" and "cops"?
> 
> Cops: security checker.

Cops does some cute things. First off, it checks for some obvious things
like, say, your /var/spool/cron/crontabs dir being world-writable or your
hosts.equiv file being world writable, etc....

It's got one really *cute* feature called "kuwang", I think. Basically, it's
supposed to find ways that a user can gain root access through a *process*.

For example, let's we've got three users on the system: "A", "B", and root.
Let's also say that A's primary group is "X" but it's also in "Z". B's
primary group is "Z" and is also in the "root" group.

Further, let us assume that B was careless enough to turn on group write
permissions for his/her .profile. So, we've got something like this:

% ls -l /home/B/.profile
-rwxrwxr-x B        Z        1534      Jan 17  12:34   .profile

And let us assume the same of root:

% ls -l /root/.profile
-rwxrwxr-x root     root     2543      Feb 23 16:32    .profile

Well, now, it's possible for user "A" to gain root privledges. A will be able
to write to "B"s .profile and, hence, will be able to run anything as "B".
This means that "A" (while running something as "B") will be able to write
to "root"s .profile and will be able to run anything as root.

I know this seems preposterous... like you need this impossible conspiracy of
little misconfigurations to allow for a security hole of this nature... but
it's really not that impossible. Imagine, for example, if you put a certain
user in the "www" group to allow them to maintain a portion of your web
site. Also imagine that you've added "www" to the "root" group so that 
certain CGI scripts will be able access some files that www doesn't normally
have access to. Well, now you're more than half way there... and you
got there by doing two things that, in themselves, didn't seem as all that
unreasonable.

So, to keep a long story from getting any longer, that is what kuwang is
supposed to do. I'm not sure if it really *does*, since it's never found
a hole like that on my machine yet.

- Joe

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com


Reply to: