Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Root directory 'bin bin'?

28 views
Skip to first unread message

Adam Shostack

unread,
Dec 8, 1993, 10:55:26 AM12/8/93
to
(This discussion started in comp.unix.aix. I've cross-posted
to comp.security.unix to get more input. The original question was
why not change AIX's / ownership from 'bin bin' to 'root staff'?)

Gary R. Hook (ho...@chaco.aix.dfw.ibm.com), (in article <CHoJG...@hawnews.watson.ibm.com>) wrote:
>In article <1993Dec7.1...@msc.cornell.edu>, ri...@msc.cornell.edu (Rick Cochran) writes:
>|>
>|> From what I have heard, it is easier to attack the 'bin' account than
>|> the 'root' account. If one obtains 'bin' status and the root
>|> directory is owned by 'bin', then it is trivial to obtain 'root'
>|> status.

>Who told you this? Why is any account easier to attack on a *IX system
>than any other account?

The root account is often carefully maintained, while some
people are careless about what bin can access. A number of cookbook
approaches involve getting access to the bin account, and then
promoting yourself to root.

The fact that bin is expired (mentioned in another post) may
well be irrelevant. Dan Farmer & Wietse Venema recently posted a
paper to the Firewalls mailing list in which they talked about
breaking in to systems by means other than password cracking/spoofing.

Tangental note: AIX, as shipped, is as vulnerable to at least
one of these attacks, DNS spoofing, as any other OS. To protect
yourself, remove *all* lines begining with # from /etc/hosts.equiv.
I've opened a call to ask IBM to remove this vulnerability from future
versions of AIX.

>Aren't you confusing a point on a filesystem with an account
>on the computer? Just because we call it the "root" of the filesystem
>doesn't mean it has anything to do with the *root* account.

No, hes not. If bin owns /, bin can write to /.rhosts, /bin/*,
/sbin/*, /boot, or just about anything with an appropriate use of
chmod. This leaves a path for just as long as it takes to get root
access this way and cover your tracks.


>|> What would be the consequences of changing the owner/group of / to root/system?

>Well, there are some daemons and such that expect certain ownerships
>on certain things. Perhaps a detailed examination of why you think
>changing ownership is a "good thing" is in order...but don't do it until
>you're sure you have (a) a recent backup :-), and (b) the time to
>fix/reinstall if the system won't run and/or boot.

Good advice. Why does bin own /? Why not default it to root
ownership?

--
Adam Shostack ad...@bwh.harvard.edu

Politics. From the greek "poly," meaning many, and ticks, a small,
annoying bloodsucker.

Brad Powell

unread,
Dec 8, 1993, 2:38:30 PM12/8/93
to

The problem with "bin" owned directories.

Apologies to all that already know this.

NFS (and other network services using unix_auth) maps "root" to "nobody" over the net,
while "bin" is mapped to "bin".

Thus anything you NFS export that is "bin" owned can be changed.

Look for systems that NFS export " /usr " for instance; (try showmount -e victims-hostname)

"/usr/bin" happens to be a HOME directory for the account "bin", so ,on MY system where I can
become root and use mount(8) I mount your "/usr" directory, become "bin" on my system;
and change your binaries out from under you thus introducing a trojan.

OR I simply add a .rhosts entry into *your* /usr/bin directory; and then rsh to your host as
user "bin" (which happens to own "/etc" on some systems).

unix_auth over the net is a pretty poor thing to base anything you wish to keep secure,
most PC's for instance don't even understand it.

===========================================================================
Brad Powell : brad....@Sun.COM |
Sr. Network Security Analyst | Part time Cyberspace Investigator
Computer/Information Security. | and Security Consultant
Sun Microsystems Inc. |
---------------------------------------------------------------------------
The views expressed are those of the author and may
not reflect the views of Sun Microsystems Inc.
===========================================================================


Christopher Samuel

unread,
Dec 9, 1993, 11:19:22 AM12/9/93
to
In article <2e4tde$1...@hsdndev.harvard.edu> of comp.security.unix,
ad...@bwh.harvard.edu doodled:

> Tangential note: AIX, as shipped, is as vulnerable to at least one of


> these attacks, DNS spoofing, as any other OS. To protect yourself,
> remove *all* lines begining with # from /etc/hosts.equiv.

Ultrix is similarly vulnerable, it appears to ship with a .rhosts file
for root with this in it:

# @(#).rhosts for root 1.1 Ultrix 2/21/89

A DNS spoofers paradise.

Chris
--
Christopher Samuel, Computer Unit, U.W Aberystwyth, Aberystwyth, WALES
E-mail: c...@aber.ac.uk PGP 2.3 public key available on request
Then hast thou joined the ARPANET? Oh come to me, my bankrupt boy!
Quick, call the NIC! Send RFCs! He chortled in his joy. - RFC527

0 new messages