topic Re: lastb command security in Operating System - HP-UX

lastb command security

Hakki Aydin Ucar — Fri, 18 Sep 2009 07:45:44 GMT

based on experience on HP-UX 11iv1, I noticed that lastb command has following privileges as everyone is able to execute :

# ll /usr/bin/lastb
-r-xr-xr-x 2 root sys 16384 Nov 9 2000 /usr/bin/lastb

OK, but in terms of Users can mistakenly enter their passwords as a username when logging in what will happens:
# lastb -R | more
rr oot pts/ta 192.168.xx.x Tue Sep 15 22:04
a1b1c2 pts/tb 192.168.xx.x Mon Sep 14 18:57
1a1b1c pts/ta 192.168.xx.x Mon Sep 14 16:57

the left column has some passwords , in my example a1b1c2 is probably password. So I am confused, and I think it needs to be careful about lastb maybe Admins can write a crontab script to trim /var/adm/btmp
from time to time . .

I there anybody knows anymore what I do not know ?

Re: lastb command security

Turgay Cavdar — Fri, 18 Sep 2009 07:57:39 GMT

Normally lastb can be used by only root. The ownership of /var/adm/btmps must be root and permissions must be 600. Checl lastb man page:
The lastb command searches backwards through the database file /var/adm/btmps to display bad login information. Access to /var/adm/btmps should be restricted to users with appropriate privileges (owned by and readable only by root) because it may contain password information.

Re: lastb command security

Hakki Aydin Ucar — Fri, 18 Sep 2009 08:11:24 GMT

Yes , this the reason I m shocked, in all my customer servers it is readable by everybody :

# ll /var/adm/btmp
-rw-rw-rw- 1 root sys 60 Sep 13 03:00 /var/adm/btmp

weird?

Re: lastb command security

Turgay Cavdar — Fri, 18 Sep 2009 08:36:52 GMT

Something is wrong about the permissions of your files. Not only readable, but also writable :)) Too bad...

Re: lastb command security

Dennis Handly — Fri, 18 Sep 2009 08:50:17 GMT

>I noticed that lastb command has following privileges as everyone is able to execute

Not really, it checks:
$ /usr/bin/lastb
lastb can be invoked only by root. Exiting ....

Re: lastb command security

Hakki Aydin Ucar — Fri, 18 Sep 2009 10:29:57 GMT

>Dennis: it checks . .

Not really, look at this one, user is ordinary user.

$ who am i
aydin pts/1 Sep 18 10:47
$ lastb -R
unknown gold:17233 servisnet Thu Sep 10 13:04
root pts/ta servisnet Wed Sep 9 17:41
root pts/ta servisnet Wed Sep 9 17:41

So, I confused that is this related with our server setup or generic problem ?

Re: lastb command security

Turgay Cavdar — Fri, 18 Sep 2009 11:33:52 GMT

Any possibility for that there are alias definition for "sudo lastb" for users and there is sudo rights for lastb command?

Re: lastb command security

Patrick Wallek — Fri, 18 Sep 2009 12:36:13 GMT

On my 11.0 and 11.11 systems, if the user has permission to read the /var/adm/btmp file, then they can also run the lastb command. As a result, we have restricted permission to 600 on /var/adm/btmp. This does NOT prevent records from being written to the file.

However, on my 11.23 system I get the message that lastb can only be run as root.

Re: lastb command security

Bill Hassell — Sat, 19 Sep 2009 04:12:18 GMT

/var/adm/btmp must always be set to 600 permissions. Some root user has hacked the setting for an unknown reason. It is quite true that btmp will contain passwords typed by careless users. That's why it must be protected. Since 666 is very suspicious, I would run swverify to check all the HP-UX files.

Re: lastb command security

Dennis Handly — Sat, 19 Sep 2009 09:59:53 GMT

>Patrick: if the user has permission to read the /var/adm/btmp file, then they can also run the lastb command.

This is a moot point. If you can read the file you can write your own lastb.

>on my 11.23 system I get the message that lastb can only be run as root.

Ah right, they fixed it there.

Re: lastb command security

Hakki Aydin Ucar — Sat, 19 Sep 2009 10:13:32 GMT

>Turgay:Any possibility for that there are alias definition for "sudo lastb" for users
I will check this in my lab, because I do not have sudo servers I am responsible.

>Patrick:
I decided to modify permission to 600 on /var/adm/btmp in all servers, even though I am not sure how it happened? Apparently after rel. 11iv2 it is corrected .

>Bill:
What I am looking for with swverify ?

Re: lastb command security

Dennis Handly — Sun, 20 Sep 2009 04:51:13 GMT

>I decided to modify permission to 600 on /var/adm/btmp in all servers, even though I am not sure how it happened?

How many servers were bad, any good?
I'm not sure if this logging is on by default but perhaps if not, when the file was created, root didn't have umask set securely.

>Apparently after release 11iv2 it is corrected.

Only lastb(1) was corrected, not the underlying security permissions on the file.

>What I am looking for with swverify?

Run: swverify \*
Then look for bad permissions on files/directories.

Re: lastb command security

Hakki Aydin Ucar — Mon, 21 Sep 2009 08:29:18 GMT

>Dennis : How many servers were bad, any good?

20 servers in different locations have same problem.

> " : when the file was created, root didn't have umask set securely.

Probably, I am not sure ?

> " : Only lastb(1) was corrected, not the underlying security permissions on the file.

So , maybe it is better, both of /var/adm/btmp
and /usr/bin/lastb
must have 600 privilege ?

Re: lastb command security

Dennis Handly — Mon, 21 Sep 2009 09:55:13 GMT

>maybe it is better, both of /var/adm/btmp and /usr/bin/lastb must have 600 privilege?

Only the file needs it.

Re: lastb command security

James R. Ferguson — Mon, 21 Sep 2009 10:52:06 GMT

Hi:

So , maybe it is better, both of /var/adm/btmp
and /usr/bin/lastb must have 600 privilege ?

Not unless you don't want to run 'lastb'. After all, '/usr/bin/lastb' needs to be executed :-)

Regards!

...JRF...

Re: lastb command security

Hein van den Heuvel — Mon, 21 Sep 2009 11:10:44 GMT

IMHO Hakki has a very valid concern but it is two-fold.

The first part, some lastb components being accessible by 'normal' users is surely a bad setup.

The second part, that the attempted usernames show up in clear print to root users worries and had always bothered me.

For now I offer no solution, just a point to ponder.
Just like Hakki describes I have mistakenly entered my otherwise well-protected and well-chose, but shared amongst more system, password against the username prompt, instead of the password prompt. Clearly this is a user error. But it happens! Agreed?

While a system manager is implicitly trusted on the system being managed, this trust IMHO does NOT extent to other systems.

Whenever this happens to me, I'm very annoyed, and feel obliged to change my password. It would be nice to know that there was an option to NOT have the attempted username stored in clear print (only if it is a valid passwd entry?)
Admittedly this would reduce the ability for a system manager to assist users who repeatedly fat-finger or are mistaken about the username to use, but that's a price I would be willing to pay to be able to say that I can not have possibly seen a users passwords, that the system does not record potential passwords, even when fat-fingerd.

Like I said... just a thought!
Hein.