[11307] in bugtraq
Re: Paranoid? Running SSHD as normal users. (rethink)
daemon@ATHENA.MIT.EDU (Erik Parker)
Sun Aug 8 21:46:06 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9908061325440.27861-100000@noella.mindsec.com>
Date: Fri, 6 Aug 1999 13:29:27 -0600
Reply-To: Erik Parker <eparker@MINDSEC.COM>
From: Erik Parker <eparker@MINDSEC.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.9908041559170.15311-100000@noella.mindsec.com>
pc@cyclotron.bombshelter.net pointed out to me:
> This could be good.. But this could be bad. Running on a system with out
> the shadow password suite, then this would work very easily,
> running on a machine with a shadow password suite, it would atleast
> require the shadow file to be group writeable to the GID you run
> the program as. Which in most cases, shadow passwords are never readable
> to a regular users group, otherwise what is the point of the shadow suite?
require the shadow file to be group READABLE.. Which again, it never
should be group readable to average users. However a lot of machines have
a group readable program, for programs like xlock, and other ones that
don't need to run as root, but do need to read that file.
> The good: If SSH had a remote BO, the only thing compromised is anything
> in the group that /etc/shadow was r+w by.
And another mistake, obviously, if the shadow file is r+w to the person
who compromised it, they own the entire box. I don't know how I overlooked
that statement. I meant g+r, so its group readable..
And as Alan cox pointed out..
It might mean more trouble for the user logged in that way, if it was
being used in a legitimate way.. Because whoever owned the tty they are
sitting on, could easily write to their term.
Erik Parker
eparker@mindsec.com
