
Bugtraq mailing list archives
Re: Linux UID/GID 'Feature'
From: ariel () FIREBALL TAU AC IL (Ariel Biener)
Date: Sun, 11 May 1997 16:43:24 +0300
On Sat, 10 May 1997, David Phillips wrote:
I mailed this to a friend as a sanity check: While trying to make a user entry in the /etc/passwd file unrecognized so I could demonstrate the use of valid UIDs, I placed a # in front of the UID. My theory was that this would make it an invalid number and cause Linux to give an authentication failure. (This worked as expect on SunOS 4.1.4) But then we tried to su to that user and were rewarded by being dumped to UID 0. It didn't recognize the UID so it defaulted to 0. Cool huh? It seems ideal for a hard to find, back door but given that you must be root to write to the passwd file, I have not found a better way to really exploit it. My friend replied: I did test the problem using various remote logins, such as rlogin, rsh, ftp, telnet, exec, ssh and console login. Trying to rlogin, rsh, rexec or telnet failed with an authentication failure. But, su, ftp, ssh and console login all succeeded and gave UID 0. A small stumbling block, but still useful for a backdoor. I'll keep checking it tho'. He also noted that it works the same for GID. We have not taken the time to research the problem fully but have tested it on Red Hat 4.1(2.0.27/2.0.30)
Hi, While that may be true on RedHat-4.1, it's not true for Linux running the latest shadow package. I have tested all the above, in both #UID and #GID cases, and what happens is that if you put a # in any of those fields in the passwd entry, the user is ignored(no such user). Shadow passwords for Linux exist for quite some time now, and have become the default in operating systems like BSDi/Solaris/AIX, and IMHO, the latest Linux releases should have been packaged with shadow passwording by default. Regards, --Ariel
David Phillips, TASC phillips () pcisys net
+---------------------------------------------------------+ | Ariel Biener | | e-mail: ariel () post tau ac il Work ph: 03-6406086 | +---------------------------------------------------------+
Current thread:
- Linux UID/GID 'Feature' David Phillips (May 10)
- Re: Linux UID/GID 'Feature' Steve \ (May 11)
- Re: Linux UID/GID 'Feature' Ariel Biener (May 11)
- Yet another WinNuke page. Nobody (May 11)
- Re: Linux UID/GID 'Feature' Jim Trocki (May 11)
- Re: Linux UID/GID 'Feature' Jon Lewis (May 11)
- more DoS fun Ghent (May 11)
- Re: Linux UID/GID 'Feature' Andrew G. Morgan (May 11)
- sendmail 8.8.6 Beta release available Jason R Mastaler (May 11)
- New Win95 OOB fix allows Netbios to be used Aaron Weintraub (May 12)
- UPDATE TO OOB FIX Aaron Weintraub (May 12)
- Re: New Win95 OOB fix allows Netbios to be used Ian MacPhedran (May 13)
- UPDATE TO OOB FIX Wojciech Swieboda (May 13)
(Thread continues...)