|
-
March 15th, 2003, 09:19 PM
#21
i agree with the making Linux easier to use so more people can use it, just in my opinion red hat isnt for me, when i first started Linux i used mandrake, that was very simple, it was mandrake 7.1, right now i use Suse Linux 8.1 wich to me is very easy and also has things for advanced users, and since im german, its kinda nice its made where my ancestors came from also  i think red hat is a good distro (not for me, its just not my thing) but for me i just like debian, slackware and Suse more. i didnt mean to sound like a red hat hating machine, its just not for me, but for people that are like you said, that and SuSe and mandrake are perfect, i love Suse, it has great GUI based things, and also i dont know if youv ever used it but also theres an option when you log in (you pick it in the spot where you pick what GUI to use) called xsplash i think? its a CLI but lets you load GUI things and has a nice looking GUI, just its all a command line, and also you can use your mouse, to me thats awesome because people afraid to learn without a GUI (i used to be) can use that or eterm, wich is another nice thing to have, also Suse has awesome hardware support, it found and installed drivers for my ZIP drive, (external) and also everything i had except my scanner. and hasnt had a problem, my last uptime (today) was over 7 days and i had things loaded and using things and i work that machine out. now that may not seem like much to a server or someone who built there PC but this is a computer thats almost 4 years old my first PC) and only has two fans and no hardware mods except ram.
http://www.linux.org is in my opinion a great resource, it has everything from tools to a walk threw of an install.
http://www.linuxiso.org is in my opinion one of the best places to download a distro, they have more than just linux and its great.
but anyway this post is longer than i anticipated so sorry about that but i wanted my opinion in and good luck to you in future hole findings i thought it was neat that you found that in red hat.
-
March 20th, 2003, 12:07 PM
#22
Now with the recent bug in ptrace wich made possible to gain root local and the fast respons from Cox and the major linux brands, you should think would have patched this too. Perhaps it's something for the 8.1? http://www.antionline.com/showthread...hreadid=241470
-
March 20th, 2003, 03:14 PM
#23
I do see what you are talking about because I was able to recreate the problem myself, however, I did notice that the only way this works is if you re-login as the same user that just logged off w/root priviliges.
This leads me to believe that it was done intentionally on the basis that if a user had superuser access before, why wouldn't he/she be able to have it again. I don't think that this "vulnerability" is as big of a risk as having the whole "key thing" in the first place.
-
March 25th, 2003, 03:07 AM
#24
Creating a user with the UID of 0 is definitely a problem, especially if the number of users is high (more than 50). However, it's very easy to set up a cronjob to run hourly and check for all users that have UIDs of 0 and aren't named 'root'. It's also a good idea to have your /etc/group and /etc/passwd files in the tripwire database for changes such as these and an even better idea to have your logging sent to a remote machine so it can't be easily hijacked.
It could be done like this:
Code:
cat /etc/passwd | awk -F: '{ if ($3 == 0 && $1 != "root") { print "Warning: " $1 " has root access (UID of 0)" } }'
That's just a Q&D for checking your /etc/passwd for UID of 0. You can make it much more complex to suit purposes and while tripwire is a definite advantageous tool, you have to check logs every day and you know what they say about security... 1 / convenience.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
March 25th, 2003, 06:42 AM
#25
It may seem like a vulnerability, but really, physical access or boot access = root access, it's that simply.
PuRe
-
March 25th, 2003, 07:37 AM
#26
Yes and no to your response...generally speaking, you have to enter root's password to enter 'maintenance mode' in single user mode from an interrupted boot sequence.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
March 25th, 2003, 08:28 AM
#27
Vorlin, your quite wrong on that last post, or maybe you weren't clear on my post, what I mean to say, is that anyone with physical access to the system is as good as the administrator. The reason I say this is because, physical access means your can boot to another operating system besides what's installed on the harddisk drive, you can reinstall the operating system, hell the whole hard disk can be taken. So if you see where I'm going with this and I hope you do, anyone with physical access to a system can by pass any little security measures that's installed on an O.S. If i booted up knoppix or any other operating system from a floppy or cd-rom, than your security is useless, as I would have complete access to the data on the system, I would become the admin of the system. : ) Thus proving my point boot access = root access
PuRe
just some words to think about.
-
March 25th, 2003, 11:23 AM
#28
PureExctacy, if you lock the case altering physical parts becomes difficult and disable floppy or cd-rom boot up (or they could not even be present) and password protect bios, it becomes a little more difficult to say physical access = root access. Anyway I know there are bios crackers and that you can make your way in... bleh. But those things take time. The problem I noticed is that anyone can get root on a RH8.0 system simply clicking the mouse when the admin used the key authentication and logged out the user before the time out or disabling of the authentication.
-
March 29th, 2003, 12:52 PM
#29
We are now 2 months from first notice send to RedHat and still counting...
come on RedHat
From the BUGTRAQ faq
source: http://www.securityfocus.com/popups/...aq.shtml#0.1.8
0.1.8 What is the proper protocol to report a security vulnerability?
A sensible protocol to follow while reporting a security vulnerability is as follows:
Contact the product's vendor or maintainer and give them a one week period to respond. If they don't respond post to the list.
RedHat responded the next working day
If you do hear from the vendor give them what you consider appropriate time to fix the vulnerability. This will depend on the vulnerability and the product. It's up to you to make and estimate. If they don't respond in time post to the list.
If they contact you asking for more time consider extending the deadline in good faith. If they continually fail to meet the deadline post to the list.
2 months?
When is it advisable to post to the list without contacting the vendor?
When the product is no longer actively supported.
When you believe the vulnerability to be actively exploited and not informing the community as soon as possible would cause more harm then good.
I hope the new RH 9 will fix the bug
-
March 31st, 2003, 02:59 PM
#30
I mailed with RH, the issue will not be fixed in RH 9.
The fix did not make it into RH 9
A bugzilla bug number is opened, but currently not viewable for the big public.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote