ptownson@chinet.chi.il.us (Patrick Townson) (12/25/88)
I got to thinking about the security of /etc/passwd files, and it seems to me they are awfully easy to tamper with. Any user can 'cd ..' a few times until they are down to the root directory, where they can cd etc. Once in etc, they can emacs passwd to review the file. Now of course the entries are encrypted, but not to worry, I do not have to be able to figure it out; after all, I *know what my password is*. I can use 'cut and paste' techniques to lift my encrypted password and sit it on top (or 'paste it over') your encrypted password, can't I? Then my password goes with your account as well as my own. I can hear your objection now: you say passwd is protected against writing to the file. The permissions allow only the owner -- in this case the computer -- to write the file. Not being the owner, I will be unable to chmod 666 the file or otherwise adjust the permissions. Again, not to worry, for where chmod can't do the job, DIRED can..... If I park myself on etc, and call DIRED, I can get right in there and diddle those permissions as required, plugging in 'w' for others on passwd. Once etc has been properly diddled via DIRED, I won't get any arguments when I emacs passwd and start cutting and pasting or when I save the file back out. At that point, I can log in as you, but using my (pasted over) password instead of yours. If a person wanted to be a real sneak about it, they would not simply paste over the sysadmin's password with their own, causing the sysadmin to be locked out of his own machine. If the sysadmin came along and decided to login, there would hell to pay. The jig would be up real quick. If I were going to do something like that, I'd be likely to cp passwd myfile, then do the cut and paste job on myfile. Logged in as myself, I'd swap out /etc/passwd with /etc/myfile, renaming my(pasted up)file as passwd. Quickly now, login as sysadmin, using my own password after all, and as the first order of business swap myfile and passwd back again so that if the real sysadmin wanted to login, he would be able to do so without any hassle. I would keep myfile handy, and whenever I wanted to go on as sysadmin (or you, perhaps?) I would first go on as myself, make the swapout, login as whoever and reverse the swap, so as not to 'inconvenience' the true owner of the account. [Actually, so as not to tip off the authorities! :-) ] Instead of just picking on the sysadmin, one might simply change all encrypted password strings to one's own encrypted password string. Change every occurence. This special copy of /etc/passwd would have every user with the same password, namely mine! Oh, I'm sure it would not actually work...I must be overlooking something. Prolly one or more of you guys will stand me corrected in a minute. The catch seems to be that DIRED sees nothing wrong with working on /etc/ passwd. Either DIRED should refuse to work on etc or ideally, DIRED should be unable to edit the permissions area in directories. Am I missing something, or is this a simple, easy way to break into anyone's account with no reference to their true password at all? Patrick Townson (replies by mail will be fine, or here as you wish) ptownson@chinet.chi.il.us ptownson@bu-cs.bu.edu
bzs@Encore.COM (Barry Shein) (12/26/88)
From: ptownson@chinet.chi.il.us (Patrick Townson) >The catch seems to be that DIRED sees nothing wrong with working on /etc/ >passwd. Either DIRED should refuse to work on etc or ideally, DIRED should >be unable to edit the permissions area in directories. > >Am I missing something, or is this a simple, easy way to break into anyone's >account with no reference to their true password at all? > >Patrick Townson Yes, what you are missing is the slightest understanding of unix, if this wasn't unix-wizards I'd have more mercy but instead I'll point out you have sunk this list to a new low. There's something wrong with the LOCAL set up of YOUR dired (which, by the way, is not even a standard unix utility) or the permissions on YOUR /etc or something like that, I don't know but your point was worthless. It's as if you were claiming unix is unreliable since your system stops working every time you pour a can of cola in the disk drive. I have nothing against someone asking a question, no matter how naive, but posing as someone offering insight into unix to a list who's name is unix-wizards and posting this kind of misleading, ignorant tripe is utterly irresponsible. Didn't it ever occur to you that you don't know what you are talking about? I don't think a little "correct me if I'm wrong" is enough to excuse this kind of garbage. -Barry Shein
ptownson@chinet.chi.il.us (Patrick Townson) (12/26/88)
In article <4484@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes: >Yes, what you are missing is the slightest understanding of unix....... >....mercy but instead I'll point out you have sunk this list to a new low. I'm sorry I polluted your list, sinking it to a new low. I don't ever recall claiming I had the 'slightest' (or at least, more than a rudimentary) understanding of unix. I will someday, though. >There's something wrong with the LOCAL set up of YOUR dired (which, by >the way, is not even a standard unix utility) or the permissions on >YOUR /etc or something like that, I don't know but your point was >worthless. It's as if you were claiming unix is unreliable since your >system stops working every time you pour a can of cola in the disk >drive. I don't quite see where the 'pour cola in the keyboard' analogy fits into this. It would have been quite sufficient to say as you did in your first sentence this paragraph: 'There's something wrong with the local set up of your dired, or the permissions on /etc' >I have nothing against someone asking a question, no matter how naive, >but posing as someone offering insight into unix to a list who's name >is unix-wizards and posting this kind of misleading, ignorant tripe is >utterly irresponsible. Didn't it ever occur to you that you don't know >what you are talking about? I don't think a little "correct me if I'm >wrong" is enough to excuse this kind of garbage. > > -Barry Shein I'm sorry you felt the question was 'misleading, ignorant tripe which is utterly irresponsible'.....and 'garbage'. Actually, Mr. Shein, I had very high hopes for this news.group. I thought here, surely, I would receive a detailed and technically correct answer to my query. I expected it to be the one place I might receive the requisite knowledge of unix required to maximize my use of these machines. Surely the idle.chatter groups are of no help. I suppose that is correct; but not at the price you are asking me to pay for the instruction, Mr. Shein. Have a happy new year, and I will do the same. Patrick Townson
bzs@Encore.COM (Barry Shein) (12/27/88)
From: ptownson@chinet.chi.il.us (Patrick Townson) >I'm sorry you felt the question was 'misleading, ignorant tripe which is >utterly irresponsible'.....and 'garbage'. Actually, Mr. Shein, I had very high >hopes for this news.group. I thought here, surely, I would receive a detailed >and technically correct answer to my query. I expected it to be the one place >I might receive the requisite knowledge of unix required to maximize my use >of these machines. Surely the idle.chatter groups are of no help. Oh cut the alligator tears. You didn't make a query, you didn't ask a question, you stated pompously and (seemingly) authoritatively that unix has a serious security flaw in that it allows anyone to edit /etc/passwd via use of DIRED, in general. That's a SERIOUS claim and can send a lot of readers running for the hills, you just don't want to take responsibility (but you claim you read this group to get information?) Perhaps now you understand how idle.chatter groups become idle.chatter groups and of no help, nothing like people who know full well they don't know what they're talking about posing as authorities to make a group useless. If I make a technical error in a technical group like this I welcome being bashed for it and certainly hope no one ever hesitates because they're afraid it would hurt my feelings. Therein lies mediocrity. It would be nice if somehow people could become authorities without bothering themselves with hard work or so much as cracking a manual, unfortunately no method to achieve this has been discovered. -Barry Shein, ||Encore||
mhw@wittsend.LBP.HARRIS.COM (Michael H. Warfield (Mike)) (12/27/88)
In article <4484@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes: > >Yes, what you are missing is the slightest understanding of unix, if >this wasn't unix-wizards I'd have more mercy but instead I'll point >out you have sunk this list to a new low. > And maybe the point you're missing is the variety of *NIX systems out in the real world. A valid point was brought up (although maybe not what the original author meant to bring up). I have thought up siller ways than that to crack a password file (and roasted more than a few short sighted programmers with a terminal case of optical rectitis for doing STUPID things that create obvious security violations). His point may in fact emphasize that simple errors in judgement can easily set up a UNIX systems to be HAD by the simplest of tricks. Non standard utilities are a point to consider. Just because there is no "standard" UNIX utility that can get around something doesn't mean you shouldn't protect yourself from the attack. Your point of DIRED being non-standard is TOTALY WORTHLESS! Certainly if /etc has non owner write permission to the directory or if some IDIOT made that DIRED utility SUID to root (re: optical rectitis above) then that should be pointed out. If his system real allows such transgressions then those should be pointed out and corrected (and possible the guilty sys-op taken out to a dark alley somewhere). The lesson for ALL of us is that WE ARE OUR WORST ENIMIES! By far, the worst security violations are the ones we create for ourselfs. Either through lazyness, ignorance, or misguided desires for "ease of use" we can all easily fall into the trap of creating holes in our systems. It is far easier to create a hole than to pug a hole we didn't realize was there. Certainly your flame of ANYBODY having a valid concern or question over UNIX security is far more inappropriate to ANY TECHNICAL group than any such question NO MATTER HOW STUPID. And the original poster certainly did not bring up a stupid point even if (and I seriously doubt it) 90 percent of the readers of this group really found this so obvious. Maybe you need a new newsgroup (comp.unix.wizards.out_of_the_box.purists). --- Michael H. Warfield (The Mad Wizard) | gatech.edu!galbp!wittsend!mhw (404) 270-2123 / 270-2098 | mhw@wittsend.LBP.HARRIS.COM An optimist believes we live in the best of all possible worlds. A pessimist is sure of it!
debra@alice.UUCP (Paul De Bra) (12/27/88)
In article <7282@chinet.chi.il.us> ptownson@chinet.chi.il.us (Patrick Townson) writes: }In article <4484@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes: } }>Yes, what you are missing is the slightest understanding of unix....... }>....mercy but instead I'll point out you have sunk this list to a new low. } }I'm sorry I polluted your list, sinking it to a new low. I don't ever }recall claiming I had the 'slightest' (or at least, more than a rudimentary) }understanding of unix. I will someday, though. } [ several kilobytes of clutter deleted ] I always thought people with little understanding of Unix would ask questions in comp.unix.questions, whereas comp.unix.wizards was for people with a decent knowledge of Unix, trying to expand that knowledge. Paul. -- ------------------------------------------------------ |debra@research.att.com | uunet!research!debra | ------------------------------------------------------
bzs@talcott.harvard.edu (Barry Shein) (12/28/88)
>The tone of your response was uncalled for given that he DID ask a question.
Oh, I see, you searched and searched thru all his self-aggrandizing
garbage and actually found a question mark. Wowee zowee, I guess that
makes him a genius.
-B