On Thu, 2015-02-05 at 16:39 -0600, Valeri Galtsev wrote:> >>> > >>> -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow> Be it me, I would consider box compromised. All done on/from that box > since probable day it happened compromised as well. If there is no way to > establish the day, then since that system originally build. With full > blown sweeping up the consequences. Finding really-really-really > convincing proof it is not a result of compromise (and yes, fight one's > wishful thinking!).Logically ? 1. to change the permissions on shadow from -rw-x------ or from ---------- to -rw-r--r-- requires root permissions ? 2. if so, then what is the advantage of changing those permissions when the entity possessing root authority can already read shadow - that entity requires neither group nor user permissions to read shadow. -- Regards, Paul. England, EU. Je suis Charlie.
On Thu, February 5, 2015 5:23 pm, Always Learning wrote:> > On Thu, 2015-02-05 at 16:39 -0600, Valeri Galtsev wrote: > >> >>> >> >>> -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow > >> Be it me, I would consider box compromised. All done on/from that box >> since probable day it happened compromised as well. If there is no way >> to >> establish the day, then since that system originally build. With full >> blown sweeping up the consequences. Finding really-really-really >> convincing proof it is not a result of compromise (and yes, fight one's >> wishful thinking!). > > Logically ? > > 1. to change the permissions on shadow from -rw-x------ or from > ---------- to -rw-r--r-- requires root permissions ? > > 2. if so, then what is the advantage of changing those permissions when > the entity possessing root authority can already read shadow - that > entity requires neither group nor user permissions to read shadow. >As I said, it's your money, mister. Think of what your users will think about your response to bizarre you have discovered. Sysadmins have their users' trust a priori. But they have to keep deserving this trust all the time. Just my $0.02 Valeri PS I figure I really have to thank my teachers! Including great books I've read... ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 6 February 2015 at 10:23, Always Learning <centos at u64.u22.net> wrote:> Logically ? > > 1. to change the permissions on shadow from -rw-x------ or from > ---------- to -rw-r--r-- requires root permissions ? > > 2. if so, then what is the advantage of changing those permissions when > the entity possessing root authority can already read shadow - that > entity requires neither group nor user permissions to read shadow.The concept in play here is privilege escalation. An exploit may not give you all that root can do, but may be limited to, say, tricking the system to change file permission.>From there an attacker could use that and other exploits to escalate privileges.K
On 2015-02-05, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> > On Thu, February 5, 2015 5:23 pm, Always Learning wrote: >> >> On Thu, 2015-02-05 at 16:39 -0600, Valeri Galtsev wrote: >> >>> >>> >>> >>> -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow >> >>> Be it me, I would consider box compromised. All done on/from that box >>> since probable day it happened compromised as well. If there is no way >>> to >>> establish the day, then since that system originally build. With full >>> blown sweeping up the consequences. Finding really-really-really >>> convincing proof it is not a result of compromise (and yes, fight one's >>> wishful thinking!). >> >> Logically ? >> >> 1. to change the permissions on shadow from -rw-x------ or from >> ---------- to -rw-r--r-- requires root permissions ? >> >> 2. if so, then what is the advantage of changing those permissions when >> the entity possessing root authority can already read shadow - that >> entity requires neither group nor user permissions to read shadow. > > As I said, it's your money, mister.It seems very likely that, even if the system's security is not compromised, the sysadmin's certainly is. Some things are beyond our ability to repair. --keith -- kkeller at wombat.san-francisco.ca.us
On Thu, 2015-02-05 at 17:36 -0600, Valeri Galtsev wrote:> > Logically ? > > > > 1. to change the permissions on shadow from -rw-x------ or from > > ---------- to -rw-r--r-- requires root permissions ? > > > > 2. if so, then what is the advantage of changing those permissions when > > the entity possessing root authority can already read shadow - that > > entity requires neither group nor user permissions to read shadow.> As I said, it's your money, mister.In the politest manner may I suggest the ability to read and the ability to retain information is important ? Somewhere previously in this threat and within the last few days, I mentioned 1. the file permissions were found on a 2010 DVD back-up of a 5.3 ? Centos installation; 2. all my current systems C5 and C6 have ---------- permissions for the shadows (shadow, gshadow and their backups) 3. the disk drive originally used in 2010 was wiped in 2010 or 2011, repartitioned, reformatted and reused. 4. I don't know what happened and despite being concerned and curious I am unlikely ever to discover the cause Why waste time on this, when Centos Learning, IP TABLES firewall for beginners will bring substantially greater benefits to everyone ? OK, not for the hackers ! -- Regards, Paul. England, EU. Je suis Charlie.
On Fri, 2015-02-06 at 10:50 +1100, Kahlil Hodgson wrote:> On 6 February 2015 at 10:23, Always Learning <centos at u64.u22.net> wrote: > > Logically ? > > > > 1. to change the permissions on shadow from -rw-x------ or from > > ---------- to -rw-r--r-- requires root permissions ? > > > > 2. if so, then what is the advantage of changing those permissions when > > the entity possessing root authority can already read shadow - that > > entity requires neither group nor user permissions to read shadow. > > The concept in play here is privilege escalation. > > An exploit may not give you all that root can do, but may be limited > to, say, tricking the system to change file permission. > From there an attacker could use that and other exploits to escalate privileges.How could file permission modification of /etc/shadow be used to "escalate privileges" ? Thanks. -- Regards, Paul. England, EU. Je suis Charlie.
On 02/06/2015 12:50 AM, Kahlil Hodgson wrote:> On 6 February 2015 at 10:23, Always Learning <centos at u64.u22.net> wrote: >> Logically ? >> >> 1. to change the permissions on shadow from -rw-x------ or from >> ---------- to -rw-r--r-- requires root permissions ? >> >> 2. if so, then what is the advantage of changing those permissions when >> the entity possessing root authority can already read shadow - that >> entity requires neither group nor user permissions to read shadow. > > The concept in play here is privilege escalation. > > An exploit may not give you all that root can do, but may be limited > to, say, tricking the system to change file permission. > From there an attacker could use that and other exploits to escalate privileges.come on guys, If a cracker changed the perms to 644 he's probably sensible enough to change it back to 000 after grabbing a copy... this is most likely a BCAK error, let it rest please.