Re: htaccess with apache

[Tim Greer <chatmaster () charter net>]

On Fri, 2003-11-07 at 06:12, António Vasconcelos wrote:


> Just to show how easy is to do something that looks to be inocent and 
> turns out to be a major security problem.

That is another issue, it's not relevant.  I'm not sure how aware of
issues you are, but it would behoove you to not respond to me as if I do
not know because you happen to disagree about this discussion and this
file in particular.

> > (unless your server isn't set up well), and save the resources since
> > your server is secured properly.  Oh well, to each their own, but I have
> > to wonder when people make a big deal about something that's not.
> >  
> I'm not talking about good/bad server setup.
> It's just that the username/password authentication mecanism is a weak 
> one, and I know that, if possible, users will use a bad or easy to guess 
> password.

Assuming you authenticate using this file by allowing shell access and
don't chroot that service, sure.  Like I said, there's plenty of ways to
obtain that information anyway--and if a user uses an insecure password,
someone's going to easily get access to their account anyway--there's no
way to prevent that if you are allowing user's to set weak passwords. 
You can implement methods to not allow them to change their passwords to
any that appear weak, but users like that will store it in an unsafe
manner that would likely be easier for the attacker to obtain it
anyway--so the main issue is to have a secure server where the person
that compromises the stupid user's account, can't do anything.

> My experience tells me that about 10% of the users _do_ choose a pasword 
> that can be retrived just from the username and GECOS fields, plus one 
> or two digits.

Well, there's more ways to get that information and too many
programs/services rely on this file to run properly--you can only tweak
it so much, so chroot the services they'd use and it's not going to
hurt--but I just think you're making too big of a deal about it. 
Someone's easily going to be able to obtain that information anyway, and
get into such a user's account anyway.

> So, disclosing the /etc/passwd file is something that should not be 
> done, and should not be regarded as trivial.

If you say so, but I don't agree.

> As it _may_ contain info valuable for someone that wants to break into 
> your sistem.

Or, you mean "another user's site", having nothing to do with the system
(other than the discussion of a vulnerable CGI/PHP script being able to
open the passwd file from a remote attack so a remote attacker could get
clued in).  That may be true, but that should be as far as an attacker
can get on a secured system anyway.  Yes, it's something you want to
prevent, but there's no realistic way you can deny that information
anyway, even in that medium--the remote attacker can obtain the
information via many other files as well.  Simply, don't have shell
access and use a different user name that other services don't rely on
the pass file to match beyond the uid, so it's safe and does it's job,
and then chroot the other services, for only the user that said service
runs off of.  This makes the passwd file useless to an attacker.

> You should not regard anithing as trivial just because you don't know 
> how (or if) it can be used against you.

Yes, I do know how/if, and it is trivial.  Just because I don't agree
with you, doesn't mean that I'm not aware that certain information can
be used--you're just making it sound like more of an issue than it is. 
Thus, I can easily respond with "Just because you don't know it's not a
big deal, doesn't mean it's as big of a risk as you think it is--because
you don't know".  Give me a break.
-- 
Tim Greer <chatmaster () charter net>