[Prev][Next][Index][Thread]

Re: Shadow Passwording



On Sun, 15 Dec 1996, Biener Ariel wrote:
>On Sun, 15 Dec 1996, Yaron wrote:

>> Since some people asked about it over the dinner (which nobody has yet
>> summerized, I'm proud of you all), I have placed a precompiled version of
>> the Shadow-Suite (A bit outdated but still works) on anonymous FTP at
>> ftp://starlight.trendline.co.il/pub/shadow

>> Also there are binaries for wu-ftpd, xlockmore and XDM, along with the
>> Shadow-howto. 

>Umm, if we're talking about password files, and the most critical binaries
>for login and authentication, I would rather not install any outdated
>shadow suites. 

  The shadow suite does not change that often.  Even, shadow-ina-box is 6
months old. And it takes a very long time to recompile it yourself.
Especifically if you go and grab the latest-and-greatest pieces one by
one.

 shadow-960129.tar.gz   04-Feb-96 00:57   221k
 shadow-ina-box-1.1.tgz 31-Jul-96 23:10     2M

  I would have been very happy to have a package available when I needed
it.

>By the way, anyone found a way to prevent running strace on programs to
>see the root password encrypted ???
>
>This for example does it nicely:
>
>strace ps >&/tmp/out
>
>now, when browsing the output...
>
>open("/etc/shadow", O_RDONLY)           = 7
>fstat(7, {st_mode=S_IFREG|0640, st_size=1078, ...}) = 0
>mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|0x20, 4294967295, 0) =
>0x400c300
>0
>read(7, "root:SBLfvCRM6JzrI:9737:0:99999:"..., 4096) = 1078
>              ^^^^^^^^^^^^^

  Using your example and ps from procps version 0.99 [ps --version], I
get:

------------------------------------------------------
open("/etc/passwd", O_RDONLY)           = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=8467, ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|0x20, 4294967295, 0) =
0x4000800
0
read(6, "root:x:0:0:root:/root:/bin/tcsh\n"..., 4096) = 4096
------------------------------------------------------

  And no mention of /etc/shadow, which would have been difficult as the
ps binary is not suid'ed [ls -l `which ps`] and /etc/shadow has
restricted access

-rwxr-xr-x   1 root     bin         35859 May 25  1996 /bin/ps*
-rw-------   1 root     root         4832 Dec 10 01:02 /etc/shadow

  You might want to upgrade ps [procps-1.01 is on sunsite in
system/Status/ps] and make sure it is not suid'ed [and it should not be]. 

  This being said; it might be the case that using strace on an suid'ed
binary such as su might get better results.  Over here [strace su
>&/tmp/out] yields

strace: exec: Operation not permitted

alex


Follow-Ups: References: