setting multiple user id to 0 (zero) is bad ! Why?
Greetings, Friends, I am in a situation with my one clients who use - (Yes that one again!!), uucp. Now their previous techies set all the user id's for the system to 0 (zero) Oh! and all the GID's as well. Now I have come in and had to fix this, but I get resistance. I have only one good reason why not to right now, with uucp on one site all the files are transfered but not removed from the queue, only when I set the user id to 14 (IIRC) and the GID to 512, and of course changed all the on the relevant configs and files, would it clean the remote queue. This reason however has been flawed as we have other sites that work properly with all the UID's and GID's set to 0 (zero). I need more reasons, explaining how this affects the system integrity, and functionality, the trick here is they don't give two hoots about the security aspect. So to win my case professionally and cleverly, I ask for real opinions and reasons. Could you please assist. -- -- Chadley Wilson Production Line Superintendant Pinnacle Micro Manufacturers of Proline Computers ==================================== Exercise freedom, Use LINUX =====================================
Thu, 30 Jun 2005, by chadley@pinteq.co.za:
Greetings,
Friends, I am in a situation with my one clients who use - (Yes that one again!!), uucp.
Now their previous techies set all the user id's for the system to 0 (zero) Oh! and all the GID's as well. Now I have come in and had to fix this, but I get resistance.
[..]
I need more reasons, explaining how this affects the system integrity, and functionality, the trick here is they don't give two hoots about the security aspect. So to win my case professionally and cleverly, I ask for real opinions and reasons.
Any exploit of this uucp system would give an attacker full access to that system. Because uucp is hardly being used anymore there aren't a lot of people looking at the source anymore, at least not a lot of white-hats. Tell your organisation that security isn't just about inconvenience of having to rebuild a system after it's been rooted, it's also about ending up in firewall IP lists, RBLs, maybe seeing you name spread over the Internet as having a kiddy-porn FTP server etc. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 9.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.8 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply.
On 6/30/05, Chadley Wilson
Greetings,
Friends, I am in a situation with my one clients who use - (Yes that one again!!), uucp.
Now their previous techies set all the user id's for the system to 0 (zero) Oh! and all the GID's as well. Now I have come in and had to fix this, but I get resistance.
I have only one good reason why not to right now,
with uucp on one site all the files are transfered but not removed from the queue, only when I set the user id to 14 (IIRC) and the GID to 512, and of course changed all the on the relevant configs and files, would it clean the remote queue. This reason however has been flawed as we have other sites that work properly with all the UID's and GID's set to 0 (zero).
I need more reasons, explaining how this affects the system integrity, and functionality, the trick here is they don't give two hoots about the security aspect. So to win my case professionally and cleverly, I ask for real opinions and reasons.
Could you please assist.
-- -- Chadley Wilson Production Line Superintendant Pinnacle Micro Manufacturers of Proline Computers ==================================== Exercise freedom, Use LINUX =====================================
The moment they get a letter in the mail from the ISP and/or lawyer informing them that their server contains copyrighted material, questionable content, etc, etc, they'll care. And all the we didn't know won't help bad PR in the news. Especially when the news reports that it was due to sloppy and lazy security practices. Of course, they'll try to blame someone else, "It's the consultant's fault.", so get some CYA documentation with signatures and a few emails for added weight and evidence to at least absolve yourself if/when it hits the fan. Oh, and gently remind them that around 80 percent (last I checked anyway) of all security breaches take place inside, not outside, the company network; and then ask just how important the data is to the company and its revenue. Would the cost of lost data (maybe the next big widget or gizmo that makes millions) be more that the cost of proper security best practices? Is it worth losing a competitive edge to your competition? Black hats don't waste time with website defacements anymore. Corporate espionage is big business. If the black hat owns the server, he owns the data and is free to bend the contents of the data to his amusement, or sell it or make it available to whom he pleases. John
participants (3)
-
Chadley Wilson -
John Scott -
Theo v. Werkhoven