On Sat, 25 Oct 2003 02:46, Joe Moore wrote: > > To create a file in /bin you need root access. Therefore to create > > /bin/.rhosts you need more access than such a file will grant. There > > is no point in such an attack. Why would someone create /bin/.rhosts > > when they can create /root/.rhosts? > > There are many programs that use files in the target user's home directory > for authentication. rsh and ssh are two common examples. Many of these > programs would not be hindered by an invalid shell. That's why I > originally said that the home directory is more important than what is in > the seventh field of /etc/passwd. I should not have made my comment > specific to UID2.
Which goes back to my previous question, what do you think it should have as the home directory then? > As to why someone would create /bin/.rhosts rather than /root/.rhosts, > perhaps a sysadmin has mistakenly allowed "sudo cp * /bin" for a user who > normally installs software? In which case they could install a trojan /bin/bash and get access to every account. > Ok, that's a rather artificial example, but > how about a buggy game that that can drop a .rhosts file in /usr/games? Again, a much more useful attack would be to replace a game with a trojan and to exploit every account that is used to run a game. Maybe one of the fortune-cookie type packages puts a binary in there which can be run at login time... > Or > a buggy manpage that drops a .rhosts file in /var/cache/man? That is something that could be usefully changed. > > Does bin even own ANY files or have write access to ANY directories on > > a default install? From a quick look it seems that account "bin" gets > > no write access to anything on a Linux system. > > If "bin" has no valid password, owns no files, runs no processes, and can > write to no directories, then why does "bin" exist at all? Beats me. Compatability I guess. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
