RE: Sudo tricks

2006-03-31 Thread Burton Strauss 
Isn't the real meat of this issue the commands an unprivileged user is
permitted to execute via sudo?

Sudo isn't a blanket 'execute anything' unless it's set up that way.
Instead, you should carefully choose the specific command(s) that the user
needs to be allowed to execute.  That should involve execution from an
absolute path and a protected binary.

For example, if visudo contains this

/sbin/ifconfig eth0

Then all the user can execute is the ifconfig command from the protected
binary in /sbin/ifconfig to see the state of the interface.

Or this

/sbin/ifconfig eth0 *

Allows him/her full control of eth0 - but still from the protected binary in
/sbin/ifconfig.

If you specify this:

ifconfig eth0 *

Then all bets are off...




-Burton

RE: MySQL 5.0 information leak?

2006-01-26 Thread Burton Strauss 
It's not semantics at all.  Every password is a piece of undisclosed
information and NOBODY views that as security by obscurity.  It's the corner
stone of AAA ... Something you know, something you have, something about
you.

-Burton 

-Original Message-
From: Lance James [mailto:[EMAIL PROTECTED] 
Sent: Sunday, January 22, 2006 10:48 AM
To: Burton Strauss
Cc: 'Bernd Wurst'; bugtraq@securityfocus.com
Subject: Re: MySQL 5.0 information leak?

Burton Strauss wrote:

I'd get a refund on your coinage... root's password is not security by 
obscurity, it is an undisclosed piece of information.  There is a big 
difference.
  


Now we're arguing symantics, undislosed information would also by the MySQL
information leak problem then too, as Bernd doesn't want to disclose such
information to an attacker.

-Burton

-Original Message-
From: Lance James [mailto:[EMAIL PROTECTED]
Sent: Saturday, January 21, 2006 2:09 PM
To: Burton Strauss
Cc: 'Bernd Wurst'; bugtraq@securityfocus.com
Subject: Re: MySQL 5.0 information leak?

Burton Strauss wrote:

  

Traditionally the schema for a database is NOT secure information.
Applications download this information to build queries on the fly.

The essential problem is relying on security by obscurity, I have 
user accounts (nss) that have publicly available credentials but noone 
[sic] should be able to see how the database really is organized.
 




Denying the security through obscurity is not applicable could be
incorrect.
It does have it's place i.e. what's your root password?

In WebAppSec, security by obscurity assists in deterring attackers, and 
buying some time. So if one can prevent full disclosure of the schema 
of the db, that can be useful combined with security in depth.

my two cents.

-Lance

  

-Burton

-Original Message-
From: Bernd Wurst [mailto:[EMAIL PROTECTED]
Sent: Friday, January 20, 2006 6:05 AM
To: bugtraq@securityfocus.com
Subject: MySQL 5.0 information leak?

Hi.

I just upgraded to mysql 5.0.18 and started using all those cool new 
features. :)

But concerning VIEWs, I think the information_schema is too verbose to 
the user. I started creating a VIEW that searches information from 
several tables, mangles the data and gives the user a clean table with 
his data. So far, so good.

But I only give the user access to this VIEW, so he cannot see what's 
done to get his data from several tables.

SHOW CREATE VIEW myview;
does (correctly) result in an error that the user is not allowed to 
see the CREATE VIEW.

But SELECT * FROM information_schema.views; returns the full query 
that ceates the desired VIEW.

I think of this as a security issue because I have user accounts (nss) 
that have publicly available credentials but noone should be able to 
see how the database really is organized.

What do you think of this? Bug?

cu, Bernd

--
Windows Error 019: User error. It's not our fault. Is not! Is not!

RE: MySQL 5.0 information leak?

2006-01-21 Thread Burton Strauss 
Traditionally the schema for a database is NOT secure information.
Applications download this information to build queries on the fly.

The essential problem is relying on security by obscurity, I have user
accounts (nss) that have publicly available credentials but noone [sic]
should be able to see how the database really is organized.

-Burton 

-Original Message-
From: Bernd Wurst [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 20, 2006 6:05 AM
To: bugtraq@securityfocus.com
Subject: MySQL 5.0 information leak?

Hi.

I just upgraded to mysql 5.0.18 and started using all those cool new
features. :)

But concerning VIEWs, I think the information_schema is too verbose to the
user. I started creating a VIEW that searches information from several
tables, mangles the data and gives the user a clean table with his data. So
far, so good.

But I only give the user access to this VIEW, so he cannot see what's done
to get his data from several tables.

SHOW CREATE VIEW myview;
does (correctly) result in an error that the user is not allowed to see the
CREATE VIEW.

But SELECT * FROM information_schema.views; returns the full query that
ceates the desired VIEW.

I think of this as a security issue because I have user accounts (nss) that
have publicly available credentials but noone should be able to see how the
database really is organized. 

What do you think of this? Bug?

cu, Bernd

--
Windows Error 019: User error. It's not our fault. Is not! Is not!