Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Unix Application,
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 21 May 2007 14:24:17 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 21 May 2007, IRM wrote:

Dear all,

On my recent pen test, I have seen on Unix Apps (written in C) relies on
UNIX authentication (/etc/passwd and /etc/group) to determine which
functionalities the user can access to.
1) My first question would be what is the rationale of having such
design? Obviously the authentication design is open to not only the
application users but to the operating system users.

2) I know on some Unix/Linux flavors, the system could enforce the user
to change their password every X days. If I am not wrong this setting
can be set through "/etc/shadow" but what if the user never accesses
their Shell?


Quite a number of lazy aplication developers have been going this route, many web based applications. Bet if you search teh directory structure of the application you'll find such goodies and tads of directories with 777 perms, and many files under then with the same 777 perms, many of which will be *.html and *.gif type files that are left in place with the exe bit set... Oracle has this as a history, webshpere by IBM, and just about any product put out by BMC, SAS applications...



Would it still enforce the user to change their password?


We have found this to not be the case, and get tons of requests for non-expiring passwd's from various groups that lack a clue as to what a shell might be, and any clue at all about maintianing their accounts.


Application developers need to get a clue and keep application accounts out of the whole shell/unix level access account game. The Webtrends folks used to have a clue and might still, offering one to install the application and seperate user shell and application accounts. Much safer setup and less work for the admins having to reset passwd's for users that never used a shell in their life on the job...


(say on /etc/passwd;  username .......: :::::: /bin/apps - instead of
/bin/sh) - so when the user is actually connect to the terminal, its
automatically run the application and not a shell - if I am not wrong
.Profile is run after /bin/sh is called?


you likely meant .profile, correct?



Thanks,

Ron DuFresne




Cheers,
John,






------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFGUePUst+vzJSwZikRAlBOAKCXhFsy0/TYYhhfWPjX833nTIbuaQCgkg1D
0HUlCeyC2dlO75+qk7+HqtU=
=818C
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault