Mailinglist Archive: opensuse-security (601 mails)
| < Previous | Next > |
Re: [suse-security] crypt()
- From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
- Date: Wed, 16 Aug 2000 14:38:18 -0600
- Message-id: <001d01c007c1$e9e73460$6900030a@xxxxxxxxxxxx>
> Kurt Seifried wrote:
> >
> > You people really have short memories. Xlockmore exposed the shadow file
> > (even on OpenBSD). There have been various core dump issues with
privileged
> > programs that expose /etc/shadow..... etc.
> >
> > Kurt
>
> What is xlockmore? On my systems, I didn't find it (yet). Is it
> part of a root kit or just a bad example of a lock program for X?
xlock is an x screensaver locker thingy for X. Mandrake had it, TurboLinux
had it, NetBSD, OpenBSD interestingly enough just put out a thing saying
there is a string vulnerability. THe problem was xlock could crash and
expose /etc/shadow. There are many other incidents as pointed out where
programs have had flaws allowing an attacker to cause it to core dump with
passwords/etc in the core dump.
Relying on /etc/shadow to be impenetrable is RETARDED. IT ISN"T. If it's on
the filesystem attackers will find a flaw in something that allows them to
get at it.
Security is about risk management. Using /etc/shadow is good risk management
because it makes it significantly harder for most attackers to get ahold of
the passwords. Using MD5 or Blowfish instead of crypt is additional risk
management, and a good idea in general.
> --emmerich
-Kurt
> >
> > You people really have short memories. Xlockmore exposed the shadow file
> > (even on OpenBSD). There have been various core dump issues with
privileged
> > programs that expose /etc/shadow..... etc.
> >
> > Kurt
>
> What is xlockmore? On my systems, I didn't find it (yet). Is it
> part of a root kit or just a bad example of a lock program for X?
xlock is an x screensaver locker thingy for X. Mandrake had it, TurboLinux
had it, NetBSD, OpenBSD interestingly enough just put out a thing saying
there is a string vulnerability. THe problem was xlock could crash and
expose /etc/shadow. There are many other incidents as pointed out where
programs have had flaws allowing an attacker to cause it to core dump with
passwords/etc in the core dump.
Relying on /etc/shadow to be impenetrable is RETARDED. IT ISN"T. If it's on
the filesystem attackers will find a flaw in something that allows them to
get at it.
Security is about risk management. Using /etc/shadow is good risk management
because it makes it significantly harder for most attackers to get ahold of
the passwords. Using MD5 or Blowfish instead of crypt is additional risk
management, and a good idea in general.
> --emmerich
-Kurt
| < Previous | Next > |