Re: Weird and insecure su problem: FIXED

[Glyn Kennington <glyn.kennington@hertford.oxford.ac.uk>]

Pigeon wrote:
> >And the `not an octal number' error suggest broken permissions somewhere.
> It does, doesn't it? That was Microsoft's fault for their LF/CR line
> break standard. In order to get my Linux box to boot again I had to
> manually copy in the files from
> dists/slink/main/disks-i386/2.1.11.1-1999.09.08/base2_1.tgz. Because I
> couldn't run tar & gzip, I had to unpack it with WinZip on my Windoze
> box. This resulted in every text file having LF/CR line breaks in,
> including /root/.profile, the source of this particular error.

I was under the impression that tar and gzip (for DOS/Windows) were included
on the CD.  (At least, this was true of potato, maybe not for slink.)  So it
should be possible to extract the files straight to Unix linebreak format,
rather than munging it to the DOS one.  I haven't got the Woody .iso's to
hand, so I can't check if they've got the necessary tools.

However, it's possible that su is vulnerable to a buffer overflow or similar
here.  My understanding of your description is that, when presented with an
encrypted password it can't understand, it lets the user in automatically.
This is probably not a security hole in itself (an attacker would need to
have a user's account already, and be able to reliably overwrite sections of
a root-owned file with garbage), but potentially worrying nonetheless.

> >Check that /etc/passwd and /etc/shadow match the descriptions in `man
> >passwd` and `man shadow` respectively. 
> Hey, thanks for that. It was /etc/shadow: the root password in it was
> corrupted, though the pigeon password was OK.

It was a lucky guess.

> To fix it, I simply
> copied /etc/passwd to /etc/shadow. It works now. Cool! Thanks.

Hmm, sounds like you haven't enabled shadow passwords.  With these enabled,
/etc/passwd is readable by all users, but only shows `x' for the password.
/etc/shadow is only readable by root, and contains the encrypted password.
Have a look at the Security HOWTO, specifically section 6.8, to see why you
might want to do this.

http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN655

> >But *DON'T* send them here for a second opinion.  
> Interesting. Is this simply to avoid filling the list with junk? Given
> that people post X / system logs etc. for a second opinion, probably
> not. Are you assuming that my passwords may not be safe against a
> brute-force dictionary attack, or has the "one-way" nature of the
> encryption algorithm been compromised?

Not really sure.  I just noticed that all the sample /etc/shadow files I
could find said ``altered from original'', as if the owners didn't want that
kind of information on the web.  Brute force attacks are possibly a
consideration, but my main reasoning is that it's meant to only be read by
root.  (Though if you haven't got shadow passwords enabled, then the
information you'd be giving out is already available to anyone with an
account on your box.)

>From the manpage,

       This file must not be readable by regular users if password security
       is to be maintained.

Glyn

-- 
Going to Oxford is only `going up' if you start off south of it.