Re: noboby with a shell !!
On Mon, 31 Mar 2003 at 08:07:05PM +0100, Dale Amon wrote: > I have heard it so argued and remain to be convinced. > I have a cfengine script that overwrites the work of > debian packages in passwd within minutes of an upgrade. > All non-real users get /dev/false for a shell on my > systems. If it breaks some arcane feature... tough. This is ridiculous and in no way increases the security of your system since no one can log in to those accounts anyhow! Plus if I have access to gain privs to that account (be it an exploit or whatever) I can place a system call to a REAL command interpreter (say /bin/sh or whatever your favorite is). Doing this serves absolutely no purpose but to break parts of your system...but it is your system so have at it. A great way to secure your system has also been to run (as root) "rm -rf /" and then reboot your machine to apply the update. But I don't think anyone would seriously recommend that as a way of "Improving security", just like one wouldn't consider giving a no-loginable account an invalid shell. Like I said...your system, I won't get in to a flame war over it. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #183: Ionization from the air-conditioning pgpjmddrw3QZv.pgp Description: PGP signature
Re: noboby with a shell !!
On Mon, 31 Mar 2003 at 08:07:05PM +0100, Dale Amon wrote: > I have heard it so argued and remain to be convinced. > I have a cfengine script that overwrites the work of > debian packages in passwd within minutes of an upgrade. > All non-real users get /dev/false for a shell on my > systems. If it breaks some arcane feature... tough. This is ridiculous and in no way increases the security of your system since no one can log in to those accounts anyhow! Plus if I have access to gain privs to that account (be it an exploit or whatever) I can place a system call to a REAL command interpreter (say /bin/sh or whatever your favorite is). Doing this serves absolutely no purpose but to break parts of your system...but it is your system so have at it. A great way to secure your system has also been to run (as root) "rm -rf /" and then reboot your machine to apply the update. But I don't think anyone would seriously recommend that as a way of "Improving security", just like one wouldn't consider giving a no-loginable account an invalid shell. Like I said...your system, I won't get in to a flame war over it. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #183: Ionization from the air-conditioning pgp0.pgp Description: PGP signature
Re: noboby with a shell !!
On Sat, Mar 29, 2003 at 12:55:21AM +0100, Sven Hoexter wrote: > Ok then I'm out of arguments ;) but I think there is a reason for the > packagers > to setup a lot of dummy users for daemons etc. with /bin/sh instead of > /bin/false or /dev/null. I have heard it so argued and remain to be convinced. I have a cfengine script that overwrites the work of debian packages in passwd within minutes of an upgrade. All non-real users get /dev/false for a shell on my systems. If it breaks some arcane feature... tough. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
Re: noboby with a shell !!
On Sat, Mar 29, 2003 at 12:55:21AM +0100, Sven Hoexter wrote: > Ok then I'm out of arguments ;) but I think there is a reason for the packagers > to setup a lot of dummy users for daemons etc. with /bin/sh instead of > /bin/false or /dev/null. I have heard it so argued and remain to be convinced. I have a cfengine script that overwrites the work of debian packages in passwd within minutes of an upgrade. All non-real users get /dev/false for a shell on my systems. If it breaks some arcane feature... tough. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Fri, Mar 28, 2003 at 10:55:45PM +0100, Christian Jaeger wrote: > At 12:11 Uhr +0100 26.03.2003, Sven Hoexter wrote: Hi, > >This might be bad cause AFAIK a few cronjobs change from their root uid to > >nobody via the su command. > > They don't really need a shell setting for nobody. su -s /bin/sh > $commandline works as well. Ok then I'm out of arguments ;) but I think there is a reason for the packagers to setup a lot of dummy users for daemons etc. with /bin/sh instead of /bin/false or /dev/null. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
Re: noboby with a shell !!
On Fri, Mar 28, 2003 at 10:55:45PM +0100, Christian Jaeger wrote: > At 12:11 Uhr +0100 26.03.2003, Sven Hoexter wrote: Hi, > >This might be bad cause AFAIK a few cronjobs change from their root uid to > >nobody via the su command. > > They don't really need a shell setting for nobody. su -s /bin/sh > $commandline works as well. Ok then I'm out of arguments ;) but I think there is a reason for the packagers to setup a lot of dummy users for daemons etc. with /bin/sh instead of /bin/false or /dev/null. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
At 12:11 Uhr +0100 26.03.2003, Sven Hoexter wrote: This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. They don't really need a shell setting for nobody. su -s /bin/sh $commandline works as well. Christian.
Re: noboby with a shell !!
At 12:11 Uhr +0100 26.03.2003, Sven Hoexter wrote: This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. They don't really need a shell setting for nobody. su -s /bin/sh $commandline works as well. Christian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote: > On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: > > Well yes it could :) As long as the user has no valid password it's not very > > usefull. Take a look into the /etc/shadow and in the second field you'll > > find > > ! or * indicating that this user has a invalid password. See man 5 shadow. > > That's hardly true. If an attacker could somehow create an ssh > authorized_keys file, they could log in without a password. and if he can somehow create the non existing home dir. or if he can somehow change the $HOME ... oh forgot when he has the power to somehow change the $HOME he can change the $SHELL or if he can edit the /etc/passwd he's root ... who cares about nobody. Yeah there are so many side conditions that could happen, what a horror - time to take the internet offline. *hrhr* Well at least you shouldn't run all your daemons under one uid. Create one for the ftpd one for your httpd and so on. SCNR Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
Re: Re: noboby with a shell !!
Dit e-mail adres bestaat niet
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote: > On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: > > Well yes it could :) As long as the user has no valid password it's not very > > usefull. Take a look into the /etc/shadow and in the second field you'll find > > ! or * indicating that this user has a invalid password. See man 5 shadow. > > That's hardly true. If an attacker could somehow create an ssh > authorized_keys file, they could log in without a password. and if he can somehow create the non existing home dir. or if he can somehow change the $HOME ... oh forgot when he has the power to somehow change the $HOME he can change the $SHELL or if he can edit the /etc/passwd he's root ... who cares about nobody. Yeah there are so many side conditions that could happen, what a horror - time to take the internet offline. *hrhr* Well at least you shouldn't run all your daemons under one uid. Create one for the ftpd one for your httpd and so on. SCNR Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: > Well yes it could :) As long as the user has no valid password it's not very > usefull. Take a look into the /etc/shadow and in the second field you'll find > ! or * indicating that this user has a invalid password. See man 5 shadow. That's hardly true. If an attacker could somehow create an ssh authorized_keys file, they could log in without a password. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpe68AZnJ3WP.pgp Description: PGP signature
Re: noboby with a shell !!
Yoann <[EMAIL PROTECTED]> writes: > there is an * in /etc/shadow for nobody, but all services (ftp, web...) > are running with the uid nobody so if there is an attack on an unknow > bug (I keep up to date all services) on those services (buffer overflow > for example), It's will be unsercure.. . It will be unsecure even if the shell field is filled with garbage... 1) The buffer overflow kind of attack is to launch a program from within another, a shell for example. 2) The shell shield (more easy to write than to tell) is used by: - /bin/login to launch a shell, or a pppd in some case - /*/ftpd to allow (/bin/true) or disallow (/bin/false) ftp access - probably lot of others programs. HTH. -- Reality always seems harsher in the early morning. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
Re: Re: noboby with a shell !!
Dit e-mail adres bestaat niet -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: > Well yes it could :) As long as the user has no valid password it's not very > usefull. Take a look into the /etc/shadow and in the second field you'll find > ! or * indicating that this user has a invalid password. See man 5 shadow. That's hardly true. If an attacker could somehow create an ssh authorized_keys file, they could log in without a password. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: noboby with a shell !!
Yoann <[EMAIL PROTECTED]> writes: > there is an * in /etc/shadow for nobody, but all services (ftp, web...) > are running with the uid nobody so if there is an attack on an unknow > bug (I keep up to date all services) on those services (buffer overflow > for example), It's will be unsercure.. . It will be unsecure even if the shell field is filled with garbage... 1) The buffer overflow kind of attack is to launch a program from within another, a shell for example. 2) The shell shield (more easy to write than to tell) is used by: - /bin/login to launch a shell, or a pppd in some case - /*/ftpd to allow (/bin/true) or disallow (/bin/false) ftp access - probably lot of others programs. HTH. -- Reality always seems harsher in the early morning. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
Hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. there is an * in /etc/shadow for nobody, but all services (ftp, web...) are running with the uid nobody so if there is an attack on an unknow bug (I keep up to date all services) on those services (buffer overflow for example), It's will be unsercure.. . nobody:x:65534:65534:nobody:/nonexistent:/bin/sh ^^^ I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. I will pay attention , thx Sven Yoann
Re: noboby with a shell !!
Hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. there is an * in /etc/shadow for nobody, but all services (ftp, web...) are running with the uid nobody so if there is an attack on an unknow bug (I keep up to date all services) on those services (buffer overflow for example), It's will be unsercure.. . nobody:x:65534:65534:nobody:/nonexistent:/bin/sh ^^^ I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. I will pay attention , thx Sven Yoann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
Does the user nobody has got a password in /etc/shadow ? greets Robbert Citeren Yoann <[EMAIL PROTECTED]>: > hi, > > I look at in the file /etc/passwd on my server today, and I saw the user > nobody has a shell !!. When I installed my debian (sarge, I know it's > bad, but it's just a server for me...) I put /bin/false. A few days ago, > while an upgrade, apt asked to me to upgrade that file to the new > version and answer yes, so I think it come from that action, but it > could be unsecure to put /bin/sh for nobody ? > > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > > I change to : > > nobody:x:65534:65534:nobody:/dev/null:/bin/false > > Yoann > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > __ http://www.wanadoo.nl/
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 11:35:38AM +0100, Yoann wrote: Hi, > I look at in the file /etc/passwd on my server today, and I saw the user > nobody has a shell !!. When I installed my debian (sarge, I know it's > bad, but it's just a server for me...) I put /bin/false. A few days ago, > while an upgrade, apt asked to me to upgrade that file to the new > version and answer yes, so I think it come from that action, but it > could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > > I change to : > > nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
Re: noboby with a shell !!
Does the user nobody has got a password in /etc/shadow ? greets Robbert Citeren Yoann <[EMAIL PROTECTED]>: > hi, > > I look at in the file /etc/passwd on my server today, and I saw the user > nobody has a shell !!. When I installed my debian (sarge, I know it's > bad, but it's just a server for me...) I put /bin/false. A few days ago, > while an upgrade, apt asked to me to upgrade that file to the new > version and answer yes, so I think it come from that action, but it > could be unsecure to put /bin/sh for nobody ? > > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > > I change to : > > nobody:x:65534:65534:nobody:/dev/null:/bin/false > > Yoann > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > __ http://www.wanadoo.nl/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 11:35:38AM +0100, Yoann wrote: Hi, > I look at in the file /etc/passwd on my server today, and I saw the user > nobody has a shell !!. When I installed my debian (sarge, I know it's > bad, but it's just a server for me...) I put /bin/false. A few days ago, > while an upgrade, apt asked to me to upgrade that file to the new > version and answer yes, so I think it come from that action, but it > could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > > I change to : > > nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]