[plug] Linux security idea - maybe
Denis Brown
dsbrown at cyllene.uwa.edu.au
Thu Jun 12 21:54:03 WST 2003
On Thu, 12 Jun 2003, Craig Ringer wrote:
> > It seems to me that the Holy Grail of breaking into a computer system is
> > to achieve administrative access. Windows (NT and above) has the
> > Administrator account, Unix / Linux has root. One of the things we are
> >
> Actually, many many more breakins are due to the cracking of daemons
> running as root, and that's the first thing that should be eliminated
> where at all possible. Where not possible, a privelege-separated model
> needs to be used where the root process is very small and simple, using
> only well-documented APIs to communicate with the non-root part of the
> daemon.
Doh! (slaps forehead) Yes, quite right it is the daemons that get
attacked mainly, hence the patches, fixed buffer overflows, etc.
> > Well, can we do something like that for Unix / Linux? Would it be
> > equally useful?
>
> We can, and it's well-known if less than common practice. Try to get
> "root" on one of my machines :-)
>
> There are a number of problems with this approach, though. A number of
> things will look up the superuser account by the name "root" rather than
> looking for uid 0, causing some breakage if root isn't who they expect.
I like your understatement "causing some breakage..." :-)
> Also, as you mentioned, it's still uid 0 and still owns everything. Note
> that root need not own everything - I could create a uid, say, bobby
> (65530), that owns most things on the system and it wouldn't be an
> issue. I would want it to have login shell /bin/false and an invalid
> password, though.
Hmmm... I had not thought of that (the almost don't-care status of
ownership) but I can see it now - as long as the right permissions for r,
w and x are present, something could be owned by Joe Bloggs for all the
system would care.
> It's always easy to discover who the superuser is by checking who uid 0 is.
>
> A simple thing that helps a lot is leaving uid 0 as "root" but creating
> a second uid 0 account (yeah, you can do that) for root logins, named
> whatever you like. That at least prevents a few direct attempts.
Multiple uid 0's eh? Clearly Denis needs to do more reading :-(
Sorry, I'm a bit confused though... you mean "root" has a bogus password
or /bin/false shell, hence you use the alternative account to log in as
superuser?
Cheers and thanks,
Denis
More information about the plug
mailing list