LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-07-2005, 11:18 PM   #1
MisterESauce
Member
 
Registered: Nov 2004
Distribution: FC3 dualboot with XP on my main machine, Slackware 9 on my POS ;)
Posts: 30

Rep: Reputation: 15
what are the security risks using 'passwd' in shell scripts?


i was reading about shell scripting today and found a warning against using the 'passwd' command in an automated script. i don't understand how this would be a security risk, can someone please explain?
 
Old 04-08-2005, 12:29 AM   #2
ginetta
LQ Newbie
 
Registered: Nov 2004
Location: Canada
Posts: 28

Rep: Reputation: 15
passwd in scripts

Interesting... One would assume the fact that you would have to apply a password
within the script that it could be a way of revealing passwords unnecessarily.

Another thing may be that you may create a script that has relaxed attributes allowing
someone to abuse the passwd command as an escalated user within the script using
clever parsing.
 
Old 04-08-2005, 01:26 AM   #3
MisterESauce
Member
 
Registered: Nov 2004
Distribution: FC3 dualboot with XP on my main machine, Slackware 9 on my POS ;)
Posts: 30

Original Poster
Rep: Reputation: 15
Re: passwd in scripts

Quote:
Originally posted by ginetta
Interesting... One would assume the fact that you would have to apply a password
within the script that it could be a way of revealing passwords unnecessarily.
i don't see how the script could reveal a password if i don't put it anywhere in the script (that would be an obvious security flaw as the script file is unencrypted). i simply send the command and wait for the user to type a new password. it should be just as secure as typing 'passwd' from the command prompt, right?

i did think about the permissions and i set it so that it can only be run by root.

to me this seems like a perfectly secure situation, but then again, i am a
 
Old 04-08-2005, 12:09 PM   #4
ginetta
LQ Newbie
 
Registered: Nov 2004
Location: Canada
Posts: 28

Rep: Reputation: 15
passwd...

i simply send the command and wait for the user to type a new password.

What you suggest is commpn practice with may secure shell scripts. With that
I mean the calling of another program in a secure manor to carry out a function.

I have not read the article you mentioned therefore I cannot comment on its
content.

From what you describe, a simple call for passwd to interact with a user much in
the same way as if they were to initiate it themselves doesn't 'seem' to prove
insecure in itself.

Saying that, with the right set of circumstances "surrounding" the request for
that function within a script may prove to be hazzardous to security. But then
that can be said of any function being misused. This would then be an issue with
the way the author of the script constructed it and not with passwd itself.

If passwd has a flaw in the way it executes from within a script then that is
something I am unaware of and a quick visit to any good security website would
answer that question for you.

I'd be interested to read this article you mentioned.

G
 
Old 04-08-2005, 02:48 PM   #5
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Just guessing here as the OP didn't include a reference to the material he/she was reading, but they're probably talking about silly things like piping the new password to passwd on stdin. A crafty attacker could get the password from the process list if you did something like that.
 
Old 04-10-2005, 01:48 PM   #6
MisterESauce
Member
 
Registered: Nov 2004
Distribution: FC3 dualboot with XP on my main machine, Slackware 9 on my POS ;)
Posts: 30

Original Poster
Rep: Reputation: 15
hehe, okay, that's kind of what i figured... and yes, i realized it would be VERY silly to put the actual password in the script file!

i read this advice from a shell-scripting guide (the link to which i've now lost) but it wasn't even an article really, just a piece of advice stuck in against using 'passwd' in scripts with no evidence to back up the claim. just thought i'd check with you guys to make sure i wasn't missing something silly!

thanks all!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
enhance security from passwd file KitshiNg Linux - Security 1 11-19-2005 04:23 PM
Security risks of php based mysql queries TigerOC Linux - Security 5 04-10-2005 07:30 AM
Login Process & Security of /etc/passwd and /etc/shadow arut Solaris / OpenSolaris 3 12-27-2004 01:13 PM
samba/apache machine security risks fatman Linux - Networking 1 01-16-2004 09:31 PM
/etc/passwd security cdhjrt Solaris / OpenSolaris 6 07-17-2003 01:47 PM


All times are GMT -5. The time now is 03:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration