lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: !SPAM! Automated ssh scanning

Ron DuFresne wrote:

>
>If your uasers are not trustable, then they should not have access to
>local systems of yours.  Once a person has a shell, then they are 95% to
>root.
>
>  
>

I'm not sure I entirely agree with what you're saying.

Scratch that - I'm sure I don't agree with what you're actually saying 
here -- though I probably agree with what I think you mean.

If you mean that most default installs have so many packages and that 
many of those packages have methods that most people don't know about of 
getting around security barriers, then I agree with you.

If you mean that even having a shell on a system means that the person 
will eventually get root access, I'm forced to disagree.  It depends on 
a number of things; including packages installed, their configuration; 
the presence of SUID programs; the ability to compile/run code...

Actually locking down a system is not easy, but unlike with MS Windows, 
you're not going to break the system by doing it properly.  (Read the 
filesystem heirarchy standard for some ideas on why that is.)

So, if someone can log into a shell on any *nix system and gain root -- 
there's still something wrong.  It can't just be written off as "well if 
you can get shell you can get root, so don't let them get shell"... 
that's a cop-out argument and if that's the case, then why are we even 
bothering to secure anything anyway?!?  The shell is just an interface - 
it's security status is only as good as the tools available to it and 
it's configuration.

             -Barry

p.s. Not trying to ruffle feathers, simply calling it like I see it.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ