From: Claudio Broglia (xeon@sysroot.eu)
Date: Tue May 22 2007 - 09:34:04 EDT
Quoting IRM <irm@iinet.net.au>:
> Dear all,
>
> On my recent pen test, I have seen on Unix Apps (written in C) relies on
> UNIX authentication (/etc/passwd and /etc/group) to determine which
> functionalities the user can access to.
> 1) My first question would be what is the rationale of having such
> design? Obviously the authentication design is open to not only the
> application users but to the operating system users.
Yes, application's users would also access system shell. But the idea
of having users managed by system, instead of a separate database, is
that you can share them across multiple applications, managing
centrally rights and permissions, or make them access other services
(mail, ftp, etc.).
I don't like this very much, but depending on the situation it could
be the "right way to do it".
>
> 2) I know on some Unix/Linux flavors, the system could enforce the user
> to change their password every X days. If I am not wrong this setting
> can be set through "/etc/shadow" but what if the user never accesses
> their Shell?
> Would it still enforce the user to change their password?
> (say on /etc/passwd; username .......: :::::: /bin/apps - instead of
> /bin/sh) - so when the user is actually connect to the terminal, its
> automatically run the application and not a shell - if I am not wrong
> .Profile is run after /bin/sh is called?
>
> Cheers,
> John,
Well, if the application checking for what groups the user belong to
don't make the user validate, so doesn't check for account
enabled/disabled/expired password/whatsoever, this setting would be
obviously ignored.
bye
xeon
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:49 EDT