MAJOR hole in 5.0

Dagmar d'Surreal dagmar.wants at nospam.com
Fri Sep 26 17:17:26 PDT 2003


On Fri, 2003-09-26 at 18:28, Daniel Roethlisberger wrote:
> Dagmar d'Surreal <dagmar.wants at nospam.com> wrote:
> > Most folks figured out that having more than one thing using the
> > nobody role account was a bad idea in the early 90's.
> 
> I fullheartedly agree: there should be a different unpriviledged user
> account for every piece of software requiring such. But there is no harm
> in having a nobody user, while at the same time, it might potentially
> come in handy. *You* might know that you don't need it, especially on
> production machines where you run only a small number of well-configured
> daemons; but I believe that giving the general advice to remove the
> nobody user without a lot of further background information (such as
> contained in this thread) is not the Right Thing[tm] to do.

They actually don't need a lot of background information for this one. 
It's simply a matter of are they using anything that uses it (not
likely, since only certain unconfigured portmapper services which are as
a result probably a bigger threat than this) or are they not?  Unused
accounts shouldn't exist on maintained machines.

Just to drive some people insane, I'll throw this in...  There's nothing
magical about whether or not an account exists in /etc/{passwd|shadow}. 
Root can change to id 40009, 21378, 49152 or whatever at any time and
things will still work.  All uids are perfectly valid at all times as
far as the operating system is concerned.  The /etc/{passwd|shadow}
entries are mainly to give the getpw* functions something to return, and
it's what various things do with _that_ information (like /bin/login
actually cares about the shell listing) that we're trying to watch out
for by eliminating unused accounts entirely.

Sometimes administrative actions aren't quite so obviously beneficial as
anything other than the formal implementation of a best practice or
policy.

-- 
The email address above is phony because the people making archives of list
traffic publicly available on the web aren't taking measures to protect the
email addresses from filthy spammers.  
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the lfs-security mailing list