home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!olivea!spool.mu.edu!uwm.edu!ogicse!news.u.washington.edu!carson.u.washington.edu!dittrich
- From: dittrich@carson.u.washington.edu (Dave Dittrich)
- Newsgroups: comp.sys.sgi
- Subject: Should be in FAQ: Security holes in default /etc/passwd file
- Message-ID: <1992Dec24.193457.16465@u.washington.edu>
- Date: 24 Dec 92 19:34:57 GMT
- Sender: news@u.washington.edu (USENET News System)
- Organization: University of Washington
- Lines: 64
-
- This should *DEFINITELY* be in the FAQ.
-
- A recent attempt by someone at the University of California Riverside to
- break into one of our computer systems using several standard IRIX
- accounts has prompted me to post this article. Any system administrator
- reading this post should carefully check their /etc/passwd file for
- open accounts and check your /usr/adm/SYSLOG files and output from
- LAST(1) for attempted/successful logins using the accounts mentioned
- herein. Our site may not be the only one attacked by this person (or
- others).
-
- --==##==--
-
- Over the summer there was a flurry of traffic about the default
- /etc/passwd file distributed by SGI on their 4.0.x systems, which
- prompted SGI to look into the accounts and discover several security
- holes in SET-UID programs owned by lp (which were addressed by SGI).
- As of IRIX 4.0.5, the open accounts are STILL THERE.
-
- The default /etc/passwd file includes, among other entries, the following:
-
- lp::9:9:Print Spooler Owner:/usr/spool/lp:/bin/sh
- nuucp::10:10:Remote UUCP User:/usr/spool/uucppublic:/usr/lib/uucp/uucico
- guest::998:998:Guest Account:/usr/people/guest:/bin/csh
- tutor::994:997:Tutorial User:/usr/tutor:/bin/csh
- demos::993:997:Demonstration User:/usr/demos:/bin/csh
-
- These entries were discovered after several systems were set up and AN
- SGI TECHNICIAN USED THE lp ACCOUNT TO LOG ONTO A SYSTEM TO HELP DIAGNOSE
- A PROBLEM on a LAN with several Indigos, AND THE TECH DIDN'T EVEN MENTION
- THIS TO THE ADMINISTRATOR. The administrator had assumed that they
- would be secure as delivered, and didn't bother to check them.
-
- After the original post, an SGI techie on the net replied that SGI had
- intended the systems to be easy to setup and use, and that it was the
- responsibility of the administrator to ensure that /etc/passwd entries
- were checked, and that the IRIX Site Administrator's Guide even points
- this out (see pages 8-17 and 8-18).
-
- This post immediately caused several administrators to reply that the
- assumption that all systems would be put on LANs by knowledgeable and
- cautious system administrators was overly optimistic. It was also
- pointed out that the systems did not come with the Site Administrator's
- Guide, but in fact required the administrator to be lucky enough to
- receive a card from SGI offering to SELL the manual to them, or they
- had to read about the manual on the net and ASK THEIR SGI REP to get
- them one. After they had it, they would have to carefully read the
- manual, especially the section on System Security (Chapter 8) and make
- the connection.
-
- Since the default /etc/passwd file still has these entries open as of
- 4.0.5, I would like to reiterate my displeasure with SGI for leaving
- these holes open. In fact, SGI does state in the IRIX Site
- Administrator's Guide (p. 8-18) that the lp account should be disabled.
- I heartily agree with this, and would further add that the /etc/passwd
- file should come with this account (and the rest of the open accounts)
- disabled BY DEFAULT. If you really need them, you can enable them WITH
- PASSWORDS when the time comes. Until then they should be closed.
- Period. I hope SGI gets the message and does this before the next
- release comes out, for everyone's sake.
-
- If your 4.0.x machines are on the Internet, and you have not closed these
- accounts, you should do so NOW to ensure that your machines are not
- wide open to logins by unauthorized persons.
-
