LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-14-2002, 09:03 AM   #1
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
xinetd startup script checking for writeable /etc/passwd ?


What's the point in doing something like?
Code:
# part of /etc/rc.d/init.d/xinetd of a RH 8.0 install

# Check that we can write to it... so non-root users stop here
[ -w /etc/passwd ] || exit 1
Why would /etc/rc.d/init.d/xinetd want to check write access to /etc/passwd? This is not really a good idea IMHO!


Xinetd version is 2.3.7

Last edited by markus1982; 10-14-2002 at 09:09 AM.
 
Old 10-14-2002, 01:57 PM   #2
Doug_Loss
LQ Newbie
 
Registered: Jul 2002
Location: South Williamsport, PA, USA
Distribution: RedHat, Mandrake, Debian
Posts: 4

Rep: Reputation: 0
It's checking to make sure that xinetd isn't started by an account other than root (or one with root privileges). That's a *good* thing. If someone is already on your box with root privileges, this won't hurt anything since the box would already be severely compromised.
 
Old 10-14-2002, 02:10 PM   #3
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Quote:
Originally posted by Doug_Loss
It's checking to make sure that xinetd isn't started by an account other than root (or one with root privileges). That's a *good* thing. If someone is already on your box with root privileges, this won't hurt anything since the box would already be severely compromised.
root doesn't need to have write access to /etc/passwd, for security reasons the file could have the immutable bit set => xinetd startup will fail.

There are other ways to check for root rights (checking the uid for instance), etc!
 
Old 10-14-2002, 02:24 PM   #4
Doug_Loss
LQ Newbie
 
Registered: Jul 2002
Location: South Williamsport, PA, USA
Distribution: RedHat, Mandrake, Debian
Posts: 4

Rep: Reputation: 0
That sounds like a good change request to make at www.xinetd.org :-). I agree with you.
 
Old 10-14-2002, 03:42 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
root doesn't need to have write access to /etc/passwd, for security reasons the file could have the immutable bit set(..)

It's about being capable to access/having write access to a file vs actually writing to a file. Extended bits only posess meaning when writing to a file in this case of the immutable bit.
 
Old 10-14-2002, 05:22 PM   #6
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Is there any other way except:
  • disabling this check in the xinetd startup script
  • removing the immutable bit of /etc/passwd
 
Old 10-15-2002, 10:30 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Well, you could patch main.c with a joke like
Code:
 int main( int argc, char *argv[] )
{
   const char            *func = "main" ;
+
+   if (getuid() & geteuid()) {
+   terminate_program();
+   }
+
   sio_init();
after which it'll sigsegv when executed as non-root, LOL!
Seriously, Xinetd will *need* at least read-only access to /etc/passwd in case a service has to be started as non-root (man xinetd.conf) so it can find out the user, and since it doesn't do actual writes to /etc/passwd, the extended bits can be kept, AFAIC.
 
Old 10-15-2002, 01:02 PM   #8
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Quote:
Originally posted by unSpawn
Seriously, Xinetd will *need* at least read-only access to /etc/passwd in case a service has to be started as non-root (man xinetd.conf) so it can find out the user, and since it doesn't do actual writes to /etc/passwd, the extended bits can be kept, AFAIC.
Well if you have set the immutable bit xinetd refuses to start ...
 
Old 10-15-2002, 01:49 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Ok. That's nasty. The check ain't in 2.3.3x and it ain't in the contrib src of 2.3.9. If you run this:
#!/bin/sh
tgt=/etc/passwd
chk() { if [ -w "$tgt" ]; then echo write; else echo wont; fi; }
chattr +i "$tgt"; chk; chattr -i "$tgt"; chk
You'll see extended bit doesn't affect it, and root gets "write" every time. Ok, so I ran a strace on xinetd and it doesn't even show a open("/etc/passwd", O_RDONLY)...

Could you run a strace, scrub the output for hostnames etc and post it here?
 
Old 10-15-2002, 01:55 PM   #10
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Quote:
Could you run a strace, scrub the output for hostnames etc and post it here?
Yep I'll do that once I'm back at the place I can access that server ... that will be tomorrow AFAIK. Hope I have strace installed there

Remember it's in the INIT script of xinetd that has this check in it ... and OS is RH 8.0
 
Old 10-16-2002, 07:21 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Yeah, but I can't imagine why a script would break xinetd usage this way... Anyway, I downloaded the RH 8.0 xinetd-2.3.7 rpm, and exept for the passwd stuff there's nothing weird in it.
Stracing xinetd (ok, not the script) doesn't show me open\( 's for passwd.

If commenting out the passwd stuff from the initscript while leaving the immutable bit on works, let's drop the matter ok?
 
Old 10-16-2002, 09:15 AM   #12
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Quote:
If commenting out the passwd stuff from the initscript while leaving the immutable bit on works, let's drop the matter ok?
Yep, when you comment out that check it works flawlessly ... close the thread
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
running a script from inetd/xinetd spyghost Linux - Networking 3 09-20-2005 05:12 AM
How to make xinetd run at startup on SuSE ??? cwolf78 Linux - Software 2 04-22-2005 06:13 PM
need a script that can change the passwd bahadur Linux - Security 1 07-09-2004 06:07 AM
world writeable files will not stay world writeable antken Mandriva 1 03-02-2004 06:04 PM
bash script for passwd mystykmax Programming 2 02-20-2003 01:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration