[plug] Linux security idea - maybe

Denis Brown dsbrown at cyllene.uwa.edu.au
Thu Jun 12 21:54:03 WST 2003


On Thu, 12 Jun 2003, Craig Ringer wrote:

> > It seems to me that the Holy Grail of breaking into a computer system is
> > to achieve administrative access.   Windows (NT and above) has the
> > Administrator account, Unix / Linux has root.   One of the things we are
> > 
> Actually, many many more breakins are due to the cracking of daemons 
> running as root, and that's the first thing that should be eliminated 
> where at all possible. Where not possible, a privelege-separated model 
> needs to be used where the root process is very small and simple, using 
> only well-documented APIs to communicate with the non-root part of the 
> daemon.

Doh! (slaps forehead)  Yes, quite right it is the daemons that get
attacked mainly, hence the patches, fixed buffer overflows, etc.

> > Well, can we do something like that for Unix / Linux? Would it be
> > equally useful?
> 
> We can, and it's well-known if less than common practice. Try to get 
> "root" on one of my machines :-)
> 
> There are a number of problems with this approach, though. A number of 
> things will look up the superuser account by the name "root" rather than 
> looking for uid 0, causing some breakage if root isn't who they expect.

I like your understatement "causing some breakage..." :-)

> Also, as you mentioned, it's still uid 0 and still owns everything. Note 
> that root need not own everything - I could create a uid, say, bobby 
> (65530), that owns most things on the system and it wouldn't be an 
> issue. I would want it to have login shell /bin/false and an invalid 
> password, though.

Hmmm... I had not thought of that (the almost don't-care status of
ownership) but I can see it now - as long as the right permissions for r,
w and x are present, something could be owned by Joe Bloggs for all the
system would care.
 
> It's always easy to discover who the superuser is by checking who uid 0 is.
> 
> A simple thing that helps a lot is leaving uid 0 as "root" but creating 
> a second uid 0 account (yeah, you can do that) for root logins, named 
> whatever you like. That at least prevents a few direct attempts.

Multiple uid 0's eh?  Clearly Denis needs to do more reading :-(
Sorry, I'm a bit confused though... you mean "root" has a bogus password
or /bin/false shell, hence you use the alternative account to log in as 
superuser?

Cheers and thanks,
Denis





More information about the plug mailing list