On Wed, 2015-02-04 at 14:55 -0700, Warren Young wrote:> > On Feb 4, 2015, at 12:16 PM, Lamar Owen <lowen at pari.edu> wrote: > > > > Again, the real bruteforce danger is when your /etc/shadow is exfiltrated by a security vulnerability > > Unless you have misconfigured your system, anyone who can copy /etc/shadow already has root privileges. They don?t need to crack your passwords now. You?re already boned.On C5 the default appears to be:- -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow On C6, the default is:- ---------- 1 root root 854 Mar 13 2014 shadow -- Regards, Paul. England, EU. Je suis Charlie.
On 5 February 2015 at 10:53, Always Learning <centos at u64.u22.net> wrote:> On C6, the default is:- > > ---------- 1 root root 854 Mar 13 2014 shadowEven better if you have SElinux enabled ----------. root root system_u:object_r:shadow_t:s0 /etc/shadow
> On Feb 4, 2015, at 4:53 PM, Always Learning <centos at u64.u22.net> wrote: > > On C5 the default appears to be:- > > -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadowNope: # rpm -q --dump setup|grep shadow /etc/gshadow 0 1329943062 d41d8cd98f00b204e9800998ecf8427e 0100400 root root 1 0 0 X /etc/shadow 0 1329943062 d41d8cd98f00b204e9800998ecf8427e 0100400 root root 1 0 0 X This says it should be mode 400, as it is here on both of the local EL5 boxes I checked. You have a serious security hole there, Always.
On 2/4/2015 4:04 PM, Warren Young wrote:> # rpm -q --dump setup|grep shadow > /etc/gshadow 0 1329943062 d41d8cd98f00b204e9800998ecf8427e 0100400 root root 1 0 0 X > /etc/shadow 0 1329943062 d41d8cd98f00b204e9800998ecf8427e 0100400 root root 1 0 0 X > > This says it should be mode 400, as it is here on both of the local EL5 boxes I checked. > > You have a serious security hole there, Always.indeed. $ cat /etc/redhat-release && ls -l /etc/shadow CentOS release 5.11 (Final) -r-------- 1 root root 4739 Sep 24 10:54 /etc/shadow -- john r pierce 37N 122W somewhere on the middle of the left coast
On 2015-02-04, Always Learning <centos at u64.u22.net> wrote:> On C5 the default appears to be:- > > -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadowIt is much more likely that someone has screwed up your system. I think even CentOS 4 had shadow as 400. And what on earth would the point be in having a world-readable shadow file?!? The whole point of having a shadow file is to keep password hashes out of /etc/passwd so that people can't read it. It would be nonsensical to then make the shadow file readable. --keith -- kkeller at wombat.san-francisco.ca.us
On Thu, Feb 5, 2015 at 4:19 PM, Keith Keller <kkeller at wombat.san-francisco.ca.us> wrote:>> On C5 the default appears to be:- >> >> -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow > > It is much more likely that someone has screwed up your system. I think > even CentOS 4 had shadow as 400. And what on earth would the point be > in having a world-readable shadow file?!? The whole point of having a > shadow file is to keep password hashes out of /etc/passwd so that people > can't read it. It would be nonsensical to then make the shadow file > readable.Yes, /etc/shadow would have always been readable only by root by default. The interesting question here is whether an intruder did it, clumsily leaving evidence behind, or whether it is just a local change from following some bad advice about things that need to be changed - or running some script to make those changes. The latter seems more likely to me. -- Les Mikesell lesmikesell at gmail.com
On Thu, 2015-02-05 at 14:19 -0800, Keith Keller wrote:> On 2015-02-04, Always Learning <centos at u64.u22.net> wrote: > > On C5 the default appears to be:- > > > > -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow > > It is much more likely that someone has screwed up your system. I think > even CentOS 4 had shadow as 400. And what on earth would the point be > in having a world-readable shadow file?!? The whole point of having a > shadow file is to keep password hashes out of /etc/passwd so that people > can't read it. It would be nonsensical to then make the shadow file > readable.That is why I posted earlier today "Yes that is what I would like to know. Can't tell. That disk was wiped, partitioned differently and reformatted. But it remains a puzzle I am unlikely to forget for a long time." -- Regards, Paul. England, EU. Je suis Charlie.