Somehow, this message got to me before Ron's reply did, so I will respond to
both inline.
On Thu, 26 Aug 2004 12:26:04 -0500 (CDT), Ron DuFresne
<dufresne@winternet.com> wrote:
On Thu, 26 Aug 2004, Stephen Agar wrote:
I think many of you are missing the point. Yes the guest/guest
account is weak, but this kernel is (according to debian)
patched..therefore free from local exploits that can be
used to gain
superuser access. I mean if this were the case, then any box that
ran this version of debian to do something like "web
hosting" that
gave users shell access, may as well give them all full sudo.
Because you people are assuming that if someone can gain
access to the box, secured or not, they can gain root..i disagree.
The issue here is why does debain include such a weak
account,m thaqt
has not been tamed via a very restricted chroot env!?
That is one issue, but given that I haven't installed debian in years, I
can't really answer it. However, I don't think it's the "main" issue. The
main issue to me is, if I do install debian, and give an account to a friend
(albeit not a trusted friend), do I have to worry about a "fully patched"
box still getting rooted via a local exploit?
That's not the issue though. As someone who has installed
and maintained debian systems over a period of years, I can
assure you that debian does not include a guest account (or
any account) with a weak password or shell.
There aren't any shell accounts other than root on a debian
install until added by the administrator.
The weak account in question here was created by the original
poster with the intent of catching one of these apparently
automated ssh attacks.
If he did create those accounts himself for "honeypot" purposes, and this
isnt default on that debian install then it has shown us all something. It
has opened the flood gates for discussion about local exploits in that
particular install, that we would assume were patched (unless they are
undisclosed vulns..but do we really think the script kiddies have that many
0day exploits...yikes!)
As Barry pointed to directly, it all depends upon what you make
available to your clients once in a shell. It;s very likely your
server would be as exploitable as most 'default' installs
with the kitchen sink dropped in.
Perhaps not, but likely, depending upon what you 'installed
and allow
clients access to'.
Thanks,
Ron DuFresne
I agree, if this was a production box...then any shell account I had would
either be set up for something like "scp only" for a "web host", or jailed
very tightly..along with every other service running on the box. I was just
saying, that if I install my box, and apply every available patch, I would
expect it to be free of local exploits as well as remote ones.
As for the defaults on the original posters install... that
would of course depend entirely on what install method he
chose. Like many current distros (Mandrake, Redhat etc)
Debian offers a packaged install of a couple varieties
(desktop, server, workstation etc) for an admin to pick from,
or they can choose to run dselect (package management
interface) and choose by hand what they do and do not want.
This of course again comes back to not knowing what the
initial poster did with the system beyond running dselect ->
update -> install which would have autohandled updates and
dependency resolution for installed packages.
--
Tremaine
IT Security Consultant
Thanks,
Stephen
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
