[ale] Terminated user security question
Jim Kinney
jim.kinney at gmail.com
Sun Feb 13 13:54:23 EST 2022
Someone was justifiably fired who had full root sudo and I realized the scale of the environment made old method checks impossible. Still have do a full audit of all root level scripts and crontabs (go git!). A fast and dirty was a total account purge.
What I'm really looking for is a way to not allow ANY file to be executed without regard to any chmod setting that has an owner with only UID and no username.
Said a different way, file execution requires owner name matching owner UID and execute bit set. So ownername NULL will always fail.
If other people are using anything he wrote, they are totally incompetent idiots and will soon be joining him in the soup line. Since all the other people were complaining about having to work with him, I doubt they trusted anything he did.
On February 13, 2022 12:48:43 PM EST, Bob Toxen via Ale <ale at ale.org> wrote:
>Sure it would be runnable, by anyone if it's permissions include
>the 001 bit being set. This is trivial to prove by:
>
> su
> cd ~
> cp /bin/date zdate
> chmod 001 zdate
> chown 80 zdate
> su notroot
> ./zdate
>
>If you fear that your system has been hacked then refer to my book's
>chapters on recovering from hacks.
>
>Bob
>
>On Sat, Feb 12, 2022 at 08:03:43PM -0500, Jim Kinney via Ale wrote:
>> I'm 99.8% convinced that a binary or script owned by just a userID
>> number formerly associated with a deleted user can not be run by
>anyone
>> but root unless set chmod 755. Cron should fail as there's no entry
>> in passwd or ldap so no defined shell (and no crontab for the user
>> was found).
>
>> Can't readily browse up a link that explains operation on a deleted
>> user binary.
>
>> --
>> Computers amplify human error
>> Super computers are really cool
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>https://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo
--
Computers amplify human error
Super computers are really cool
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20220213/a056888c/attachment.htm>
More information about the Ale
mailing list