HPE Community
Operating System - HP-UX
1825775 Members
1961 Online
109687 Solutions
New Discussion

Trusted system - shadow password permissions

 
Brett A. Weber
Occasional Contributor

‎01-23-2001 08:22 AM

‎01-23-2001 08:22 AM

Trusted system - shadow password permissions

After converting our 11.0 systems to Trusted systems, the permissions on the shadow passwords (/tcb/files/auth/) default to -rw-rw-r--. Maybe I'm missing something, but this seems deceptively open? Couldn't a 'cracking' tool be generated against these individual password files similar to a brut attack against a non-trusted /etc/passwd file? If the answer is yes, can permissions safely be restricted on these individual password files even more?
0 Kudos
Reply
5 REPLIES 5
Victor BERRIDGE
Honored Contributor

‎01-23-2001 08:52 AM

‎01-23-2001 08:52 AM

Re: Trusted system - shadow password permissions

Hi,
This is what I have:
drwxrwx--x 55 root sys 1024 Aug 13 1998 auth
-rw-rw-r-- 1 root sys 17460 Aug 13 1998 devassign
-rw-rw-r-- 1 root root 11167 Dec 2 1999 ttys
cd auth
ll|more
total 4
drwxrwx--- 2 root sys 96 Aug 13 1998 A
drwxrwx--- 2 root sys 96 Aug 13 1998 B
drwxrwx--- 2 root sys 96 Aug 13 1998 C
drwxrwx--- 2 root sys 96 Aug 13 1998 D
drwxrwx--- 2 root sys 96 Aug 13 1998 E
drwxrwx--- 2 root sys 96 Aug 13 1998 F
drwxrwx--- 2 root sys 96 Aug 13 1998 G
drwxrwx--- 2 root sys 96 Aug 13 1998 H

etc...

and the files inside are root:root ...


So I dont see any problem...

Regards
Victor
0 Kudos
Reply
Peggy Fong
Respected Contributor

‎01-23-2001 04:32 PM

‎01-23-2001 04:32 PM

Re: Trusted system - shadow password permissions

hi
I'm new to the forum but thought I'd try a reply. /tcb permissions should be pretty restrictive e.g.
dr-xr-x--x 3 root sys 96 Jan 4 11:23 /tcb

Seems to me that this would protect the files below from non-root access. As a non-root user I may be able to cd to the directories but everything is unreadable.
0 Kudos
Reply
Dan Hetzel
Honored Contributor

‎01-24-2001 12:12 AM

‎01-24-2001 12:12 AM

Re: Trusted system - shadow password permissions

Hi,

To be able to access subdirectories /tcb/files/auth/? you need to be either root or from group sys.

This shouldn't create any potenial security issue on your servers.
If someone already has UID root or GID sys, there's a lot more harm to do on your server than having a look at encrypted passwords, don't you believe ? ;-)

Best regards,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
Belinda Dermody
Super Advisor

‎01-29-2001 12:21 PM

‎01-29-2001 12:21 PM

Re: Trusted system - shadow password permissions

The protection for the /tcb directory and sub directories should be as tight as possible. I just finished writing a script to take the /etc/passwd information and the auth/? files to extract the encrypted passwords and combined them into the old password format to run Crack5.0 against. So those directories and subdirectories should only readable and accessible by root.
0 Kudos
Reply
jherring
Regular Advisor

‎02-08-2001 05:59 AM

‎02-08-2001 05:59 AM

Re: Trusted system - shadow password permissions

I have tried this on my system and as a regular user you can blindly cd to the say /tcb/files/auth/A But you cannot do anything past that.

I have to agree I do not see any problem. You cannot see the encrypted files

Jon
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.