[Prev][Next][Index][Thread]
Re: Shadow Passwording
On Sun, 15 Dec 1996, Biener Ariel wrote:
>On Sun, 15 Dec 1996, Yaron wrote:
>> Since some people asked about it over the dinner (which nobody has yet
>> summerized, I'm proud of you all), I have placed a precompiled version of
>> the Shadow-Suite (A bit outdated but still works) on anonymous FTP at
>> ftp://starlight.trendline.co.il/pub/shadow
>> Also there are binaries for wu-ftpd, xlockmore and XDM, along with the
>> Shadow-howto.
>Umm, if we're talking about password files, and the most critical binaries
>for login and authentication, I would rather not install any outdated
>shadow suites.
The shadow suite does not change that often. Even, shadow-ina-box is 6
months old. And it takes a very long time to recompile it yourself.
Especifically if you go and grab the latest-and-greatest pieces one by
one.
shadow-960129.tar.gz 04-Feb-96 00:57 221k
shadow-ina-box-1.1.tgz 31-Jul-96 23:10 2M
I would have been very happy to have a package available when I needed
it.
>By the way, anyone found a way to prevent running strace on programs to
>see the root password encrypted ???
>
>This for example does it nicely:
>
>strace ps >&/tmp/out
>
>now, when browsing the output...
>
>open("/etc/shadow", O_RDONLY) = 7
>fstat(7, {st_mode=S_IFREG|0640, st_size=1078, ...}) = 0
>mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|0x20, 4294967295, 0) =
>0x400c300
>0
>read(7, "root:SBLfvCRM6JzrI:9737:0:99999:"..., 4096) = 1078
> ^^^^^^^^^^^^^
Using your example and ps from procps version 0.99 [ps --version], I
get:
------------------------------------------------------
open("/etc/passwd", O_RDONLY) = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=8467, ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|0x20, 4294967295, 0) =
0x4000800
0
read(6, "root:x:0:0:root:/root:/bin/tcsh\n"..., 4096) = 4096
------------------------------------------------------
And no mention of /etc/shadow, which would have been difficult as the
ps binary is not suid'ed [ls -l `which ps`] and /etc/shadow has
restricted access
-rwxr-xr-x 1 root bin 35859 May 25 1996 /bin/ps*
-rw------- 1 root root 4832 Dec 10 01:02 /etc/shadow
You might want to upgrade ps [procps-1.01 is on sunsite in
system/Status/ps] and make sure it is not suid'ed [and it should not be].
This being said; it might be the case that using strace on an suid'ed
binary such as su might get better results. Over here [strace su
>&/tmp/out] yields
strace: exec: Operation not permitted
alex
Follow-Ups:
References: