LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-19-2016, 06:34 AM   #16
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,967

Rep: Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721

No, that is not a vulnerability, that is misuse. As I already told you root always have the possibility to change/modify/remove its own password. Just by executing the command passwd. There are a lot of other commands (like that ls /etc | sh) which may or may not change the root password (accidentally/occasionally) and you will not be able to block all of them.
You can make a filesystem read only using the mount command. But root can also remount it and will be able to change password again.
 
Old 08-19-2016, 06:41 AM   #17
sivagopiraju
LQ Newbie
 
Registered: Aug 2016
Posts: 16

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
Suppose from CLI they used (ls /etc | sh) then root password becomes empty, then they can easily attack the box, i need to stop them for root.

To make read only filesystem "mount -o remount.ro /"
To make read write filesystem "mount -o remount.rw /" commands is proper commands.
 
Old 08-19-2016, 06:59 AM   #18
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
vi /etc/ssh/sshd_config
and change PermitRootLogin and PasswordAuthentication to

Code:
PermitRootLogin no
PasswordAuthentication no
service ssh restart
You must have ssh-keys for each user prior to setting "PasswordAuthentication no" and those contents must be in /home/{ubuntu,admin}/.ssh/authorized_keys on the target server.
See also
Restricting User Logins
Using Match Options to Add Exceptions
SSH Settings
SSH Allow Users

Finally, DO NOT DISCONNECT from the hardened server until you 100% certain you can log back in. From your “IP”, open a new tab in terminal and start a fresh session to the server as verification after editing /etc/ssh/sshd_config on the hardened server.

Last edited by Habitual; 08-19-2016 at 07:01 AM.
 
Old 08-19-2016, 07:10 AM   #19
sivagopiraju
LQ Newbie
 
Registered: Aug 2016
Posts: 16

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
Thanks, But in my product there is no sshd_config files. and no other ssh config files.
 
Old 08-19-2016, 07:17 AM   #20
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,967

Rep: Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721
ls /etc > /etc/passwd will also destroy local passwords and makes the host unreachable. How do you want to protect your host against such failures?
 
Old 08-19-2016, 07:21 AM   #21
sivagopiraju
LQ Newbie
 
Registered: Aug 2016
Posts: 16

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
Ok Thanks for your suggestions, i won't allow these commands from CLI itself.
 
Old 08-19-2016, 07:42 AM   #22
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,325

Rep: Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757
Why not use a custom user and a custom group rather than root, then you could set permissions the way you want
 
Old 08-19-2016, 07:50 AM   #23
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,764
Blog Entries: 16

Rep: Reputation: 3400Reputation: 3400Reputation: 3400Reputation: 3400Reputation: 3400Reputation: 3400Reputation: 3400Reputation: 3400Reputation: 3400Reputation: 3400Reputation: 3400
I just tried this as myself. It tried to change my personal password! What is happening obviously is that the name of the users file /etc/passwd is being misinterpreted by the shell as the passwd command.

Like the OP I find this a bit worrying. It could lead in some circumstances to users being "frozen out" of their own accounts.
 
Old 08-19-2016, 07:58 AM   #24
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,325

Rep: Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757
Quote:
Originally Posted by hazel View Post
Like the OP I find this a bit worrying. It could lead in some circumstances to users being "frozen out" of their own accounts.
It's part of Linux/Unix use if you mess with random commands without thinking/checking

A password reset is not the worst thing to fix imho
 
Old 08-19-2016, 08:06 AM   #25
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,342
Blog Entries: 4

Rep: Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332
Actually, you are [all ...] pretty much mistaken. Let's try a perfectly safe series of commands, to see what's really going on here:

Code:
cd ~
mkdir foo
cd foo
touch me
ls | sh
Here, I first make sure that we're in the home directory. I create a directory called foo, enter it, and create an empty file named me. Then, I pipe the output of the ls command (which defaults to the current directory, and so will produce exactly one line: me ...) into the sh command, just to see what it does.

The output will be:
Code:
sh: 1: me: not found
Now you can clean-up with:
Code:
rm me
cd ..
rmdir foo
... first removing the empty-file, then removing the directory that we just created.

Okay, so what did we learn? Piping lines into sh causes it to attempt to execute each line as a command. (Here, it dutifully attempted to execute a command called me.)

It is fairly-nonsensical to do this using the content of the /etc directory, but you can in fact do it. (You could pipe a copy of Lincoln's Gettysburg Address into sh and it would do its execute each line as a command.)

What it will not do is, as you suggest, "magically remove the password from the root user." There is no security hole here.

Last edited by sundialsvcs; 08-19-2016 at 08:09 AM.
 
Old 08-19-2016, 08:28 AM   #26
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,240

Rep: Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408
Quote:
Originally Posted by sundialsvcs View Post
What it will not do is, as you suggest, "magically remove the password from the root user." There is no security hole here.
Do it as root.

Root does not require the initial password to set a new one so piping an ls into sh may change the root password depending on the list of files in the folder. (Although it would likely require two files with the same name)

I don't have a VM handy to risk it at the moment but may try tonight

Last edited by TenTenths; 08-19-2016 at 08:31 AM.
 
Old 08-19-2016, 08:46 AM   #27
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,342
Blog Entries: 4

Rep: Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332Reputation: 3332
Quote:
Originally Posted by TenTenths View Post
Do it as root.
If you want to "fsck things up real quick" as root, why not try this, instead:

Code:
cd /
rm -rf *
Quote:
I'm joking, of course! I'm joking! Don't actually do this!!
After all, "it's your foot!" Shoot it off if you want to, but don't come a'hobblin' to me ...

root doesn't have to "pipe commands into a shell" to remove the password from anyone he pleases, in a typical system configuration where a central authorization-authority is not being used. He can "just do it."

- - - - -
Footnote: In partial recognition of this, some recent Linux releases (and Apple's latest OS/X ...) now limit the powers of the "once all-powerful root user." There are now some things that you will find that even root can't do ... some files that even root can't touch. The implementation is similar in some ways to UEFI: to impose limits that can't be overridden while the system is running.

Last edited by sundialsvcs; 08-19-2016 at 08:54 AM.
 
Old 08-19-2016, 08:49 AM   #28
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,240

Rep: Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408
Quote:
Originally Posted by sundialsvcs View Post
If you want to "fsck things up real quick" as root, why not try this, instead:

Code:
cd /
rm -rf *
After all, "it's your foot!" Shoot it off if you want to, but don't come a'hobblin' to me ...
I'm well aware that as root you can break things easily, however the point of the OP is that he is allowing users to access a CLI as root, hence the original post.
 
Old 08-22-2016, 12:53 AM   #29
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,967

Rep: Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721
Quote:
allowing users to access a CLI as root
that is exactly working as root, without any restriction. Including anything (like destroying the system).

It that case probably OP needs to check the sudoers file.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux STB root passwd senderj Linux - Hardware 2 11-12-2015 03:44 AM
[SOLVED] forgot root passwd, kernel boot in single mode still asks for root passwd nass Slackware 11 05-08-2012 12:37 PM
Gentoo VNC, empty dialog box !! "Question" window is empty ! TheHushedCaskeT Linux - Software 0 02-01-2005 10:14 PM
I have forgot my linux root passwd shankha Linux - Security 2 09-13-2003 06:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration