On Mon, February 9, 2015 10:55 am, Bowie Bailey wrote:> On 2/5/2015 8:20 PM, Always Learning wrote:
>> On Fri, 2015-02-06 at 10:50 +1100, Kahlil Hodgson wrote:
>>
>>> On 6 February 2015 at 10:23, Always Learning <centos at
u64.u22.net>
>>> wrote:
>>>> Logically ?
>>>>
>>>> 1. to change the permissions on shadow from -rw-x------ or from
>>>> ---------- to -rw-r--r-- requires root permissions ?
>>>>
>>>> 2. if so, then what is the advantage of changing those
permissions
>>>> when
>>>> the entity possessing root authority can already read shadow -
that
>>>> entity requires neither group nor user permissions to read
shadow.
>>> The concept in play here is privilege escalation.
>>>
>>> An exploit may not give you all that root can do, but may be
limited
>>> to, say, tricking the system to change file permission.
>>> From there an attacker could use that and other exploits to
escalate
>>> privileges.
>> How could file permission modification of /etc/shadow be used to
>> "escalate privileges" ?
>
> If I can give myself read access to /etc/shadow, then I can grab a copy
> and try to crack the passwords (including the root password). If I can
> give myself r/w access, then I can directly change the password and give
> myself instant access to everything.
>
I guess, this discussion (about security of your system and what affects
it) should be ended by the reference to fundamental book on Unix system
[administration]. One thing I learned: you can not become proficient in
any subject just by reading sparse blogs about it. One thing you
definitely need: very good understanding of underlying fundamentals. For
this reason the most productive would be to think if you have very good
general understanding of how Unix (or Unix-like) system works. The easiest
is to start reading good book about it, and if you see you are making
discoveries, then this is definitely what you are missing, and what you
need to study before diving into discussion what is good for security and
how it affects that. That would be what I would recommend to myself (which
I did way back...). If I were choosing the book to get good start today, I
would choose:
UNIX and Linux System Administration Handbook (4th Edition) 2010 by Evi
Nemeth and Garth Snyder
- don't worry about "outdated...", remember, you first need
fundamentals.
It is not as "fundamental" as some of the books of the past I
remember,
but I'd rather mention it that those really old books.
I'm sure, someone may suggest better book, maybe even free online book.
Note, your advise of book giving fundamental knowledge of Unix or Linux
system may be really valuable.
Just my $0.02
Valeri
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++