From: R. DuFresne (dufresne@sysinfo.com)
Date: Mon May 21 2007 - 14:24:17 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 21 May 2007, IRM wrote:
> Dear all,
>
> On my recent pen test, I have seen on Unix Apps (written in C) relies on
> UNIX authentication (/etc/passwd and /etc/group) to determine which
> functionalities the user can access to.
> 1) My first question would be what is the rationale of having such
> design? Obviously the authentication design is open to not only the
> application users but to the operating system users.
>
> 2) I know on some Unix/Linux flavors, the system could enforce the user
> to change their password every X days. If I am not wrong this setting
> can be set through "/etc/shadow" but what if the user never accesses
> their Shell?
Quite a number of lazy aplication developers have been going this route,
many web based applications. Bet if you search teh directory structure of
the application you'll find such goodies and tads of directories with 777
perms, and many files under then with the same 777 perms, many of which
will be *.html and *.gif type files that are left in place with the exe
bit set... Oracle has this as a history, webshpere by IBM, and just about
any product put out by BMC, SAS applications...
> Would it still enforce the user to change their password?
We have found this to not be the case, and get tons of requests for
non-expiring passwd's from various groups that lack a clue as to what a
shell might be, and any clue at all about maintianing their accounts.
Application developers need to get a clue and keep application accounts
out of the whole shell/unix level access account game. The Webtrends
folks used to have a clue and might still, offering one to install the
application and seperate user shell and application accounts. Much safer
setup and less work for the admins having to reset passwd's for users that
never used a shell in their life on the job...
> (say on /etc/passwd; username .......: :::::: /bin/apps - instead of
> /bin/sh) - so when the user is actually connect to the terminal, its
> automatically run the application and not a shell - if I am not wrong
> .Profile is run after /bin/sh is called?
you likely meant .profile, correct?
Thanks,
Ron DuFresne
>
> Cheers,
> John,
>
>
>
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFGUePUst+vzJSwZikRAlBOAKCXhFsy0/TYYhhfWPjX833nTIbuaQCgkg1D
0HUlCeyC2dlO75+qk7+HqtU=
=818C
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:49 EDT