[1086] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU (Julian Anderson)
Thu Oct 26 23:34:47 1995
From: Julian Anderson <Julian.Anderson@Comp.VUW.AC.NZ>
To: Jeffrey Russell Horner <jhorner@cs.utk.edu>
cc: Thomas Maslen <tmaslen@verity.com>,
Steff Watkins <Steff.Watkins@Bristol.ac.uk>,
www-security@ns2.rutgers.edu
In-reply-to: Your message of "Thu, 26 Oct 1995 15:33:03 EDT."
<199510261933.PAA25133@rudolph.cs.utk.edu>
Date: Fri, 27 Oct 1995 13:48:05 +1300
Errors-To: owner-www-security@ns2.rutgers.edu
>What can you glean from a passwd file?
>
>Surely no one has cracked crypt()...
Nope, but it's not that strong, so you can brute-force it. That is,
there is software around -- the most common is called "crack" -- that
tries encrypting dictionary words and variations (i,l==1, o==0, s==5
studlycaps, etc) , and comparing with a password file. Your typical
Bad Guy is looking for a user account on your server that can be used
to look around for more interesting holes, so all they need is one
user who uses "fred" as a password, and your password file.
Because of that, if you don't have shadow passwords, you should be
running crack or one of it's variants, simply because you should
assume your password file has escaped. Even if you *do* have shadow
passwords, it's not a bad idea to run it. In fact, if you run your
own password system, you can use CrackLib it make it hard for you
users to pick a dud password.
Note that the NCSA 1.3 httpd (and, I guess, spinoffs such as Apache)
has serveral Options setting that cope with the naive "symlink to
/etc/passwd" problem:
* FollowSymLinks
The server will follow symbolic links in this directory.
* SymLinksIfOwnerMatch
The server will only follow symbolic links for which the target
file/directory is owned by the same user id as the link.
This obviously solves the simpler problem, but doesn't stop someone
copying the passwd file. As it was said earlier: you can't make it
damnfoolproof (at least, without defenestrating the damnfool).
--jules
