Re: Security issues in publishing content of /etc ?

[Lukasz Sztachanski <szati () rudy mif pg gda pl>]

Dnia Sat, Aug 07, 2004 at 06:06:06PM +0000, lemieuxs () ca inter net napisal(a):
> Hi there,
>   I was wondering about the following idea.
>
>   What if the content of the /etc/ directory of a linux server was public to anyone logged
> in. And what if 
> anyone could log in, with read-only access.
just check permisions... the only problem is posibility of exploiting some
program working with uid(0) - that will give full access to all files.

you can also use 'chflags'( only for some files), and syscalls monitoring( e.g. systrace or
grsecurity, and afair- lids). 

>   I believe the security issue here is that there will be no secrets for anyone who wants
> to hack, they'll 
for non-local users too, even if you'll manipulate with /etc.

> know the DNS IP, 
so secure your dns - dns's ip has to be public for normal work

> running services,
then hide processes did't own by some uid ( openwall, grsecurity)
> their options, they will be able to copy /etc/passwd
> and crack the 
> passwords with time.
there's no passwords in passwd. /etc/shadow contain passwords - it's 'rw'
only for uid0.

passwd, like many other files in /etc, has to be readable for normal work.
denying access to /etc is realy bad policy. You can still make this
directory 751 to prevent 'ls' for others( in this case others = lame users).


>   What else could bring a security issue?
>
>   I'm asking this because I'm soon going to develop a file sharing program which the whole
> network will 
> mimic a single virtual host, but with no central nodes, the write permissions will be
> stored publicly,etc.  
> I'll probably post my project's headline when I get a clearer idea of how to handle it.
>
> Thanks in advance,
>  Simon
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------
good luck

-- 
Lukasz Sztachanski
szati<at>rudy.mif.pg.gda.pl
http://szati.mif.one.pl


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------