Penetration Testing mailing list archives
Re: Unix Application,
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 21 May 2007 14:24:17 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 21 May 2007, IRM wrote:
Dear all, On my recent pen test, I have seen on Unix Apps (written in C) relies on UNIX authentication (/etc/passwd and /etc/group) to determine which functionalities the user can access to. 1) My first question would be what is the rationale of having such design? Obviously the authentication design is open to not only the application users but to the operating system users. 2) I know on some Unix/Linux flavors, the system could enforce the user to change their password every X days. If I am not wrong this setting can be set through "/etc/shadow" but what if the user never accesses their Shell?
Quite a number of lazy aplication developers have been going this route, many web based applications. Bet if you search teh directory structure of the application you'll find such goodies and tads of directories with 777 perms, and many files under then with the same 777 perms, many of which will be *.html and *.gif type files that are left in place with the exe bit set... Oracle has this as a history, webshpere by IBM, and just about any product put out by BMC, SAS applications...
Would it still enforce the user to change their password?
We have found this to not be the case, and get tons of requests for non-expiring passwd's from various groups that lack a clue as to what a shell might be, and any clue at all about maintianing their accounts.
Application developers need to get a clue and keep application accounts out of the whole shell/unix level access account game. The Webtrends folks used to have a clue and might still, offering one to install the application and seperate user shell and application accounts. Much safer setup and less work for the admins having to reset passwd's for users that never used a shell in their life on the job...
(say on /etc/passwd; username .......: :::::: /bin/apps - instead of /bin/sh) - so when the user is actually connect to the terminal, its automatically run the application and not a shell - if I am not wrong .Profile is run after /bin/sh is called?
you likely meant .profile, correct? Thanks, Ron DuFresne
Cheers, John, ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGUePUst+vzJSwZikRAlBOAKCXhFsy0/TYYhhfWPjX833nTIbuaQCgkg1D 0HUlCeyC2dlO75+qk7+HqtU= =818C -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Wireless penetration testing spencerforhire (May 20)
- Unix Application, IRM (May 21)
- Re: Unix Application, Pranay Kanwar (May 21)
- Re: Unix Application, R. DuFresne (May 21)
- Re: Unix Application, Claudio Broglia (May 22)
- Re: Wireless penetration testing Matt Ahrens (May 21)
- Unix Application, IRM (May 21)