Security Basics mailing list archives
Re: Security issues in publishing content of /etc ?
From: Lukasz Sztachanski <szati () rudy mif pg gda pl>
Date: Mon, 9 Aug 2004 22:50:46 +0200
Dnia Sat, Aug 07, 2004 at 06:06:06PM +0000, lemieuxs () ca inter net napisal(a):
Hi there, I was wondering about the following idea. What if the content of the /etc/ directory of a linux server was public to anyone logged in. And what if anyone could log in, with read-only access.
just check permisions... the only problem is posibility of exploiting some program working with uid(0) - that will give full access to all files. you can also use 'chflags'( only for some files), and syscalls monitoring( e.g. systrace or grsecurity, and afair- lids).
I believe the security issue here is that there will be no secrets for anyone who wants to hack, they'll
for non-local users too, even if you'll manipulate with /etc.
know the DNS IP,
so secure your dns - dns's ip has to be public for normal work
running services,
then hide processes did't own by some uid ( openwall, grsecurity)
their options, they will be able to copy /etc/passwd and crack the passwords with time.
there's no passwords in passwd. /etc/shadow contain passwords - it's 'rw' only for uid0. passwd, like many other files in /etc, has to be readable for normal work. denying access to /etc is realy bad policy. You can still make this directory 751 to prevent 'ls' for others( in this case others = lame users).
What else could bring a security issue? I'm asking this because I'm soon going to develop a file sharing program which the whole network will mimic a single virtual host, but with no central nodes, the write permissions will be stored publicly,etc. I'll probably post my project's headline when I get a clearer idea of how to handle it. Thanks in advance, Simon --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
good luck -- Lukasz Sztachanski szati<at>rudy.mif.pg.gda.pl http://szati.mif.one.pl --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Security issues in publishing content of /etc ? lemieuxs (Aug 09)
- Re: Security issues in publishing content of /etc ? Lukasz Sztachanski (Aug 09)
- Re: Security issues in publishing content of /etc ? Fabio Miranda Hamburger (Aug 09)
- <Possible follow-ups>
- Re: Security issues in publishing content of /etc ? lemieuxs (Aug 09)
- Re: Security issues in publishing content of /etc ? Fabio Miranda Hamburger (Aug 09)
- *sigh* Re: Security issues in publishing content of /etc ? Evaldo Gardenali (Aug 10)
- Re: Security issues in publishing content of /etc ? Fabio Miranda Hamburger (Aug 09)