Regarding sudo - Setup

This is a discussion on Regarding sudo - Setup ; Ok, let's do things pass by pass --you have a root acount blocked for security. --you have to use sudo instead. fine --to install, configure, change a setting on the system you must $ sudo whatever and this whatever command ...

+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
Results 1 to 20 of 51

Thread: Regarding sudo

  1. Regarding sudo

    Ok, let's do things pass by pass

    --you have a root acount blocked for security.

    --you have to use sudo instead. fine

    --to install, configure, change a setting on the system you must
    $ sudo whatever
    and this whatever command has more rights then the commom user.
    Ok, so what appens right after the comand "sudo whatever" ??
    a password is asked? who's password?

    reply me this so that i may continue... please



  2. Re: Regarding sudo

    On 2007-07-12, ArameFarpado wrote:
    > Ok, let's do things pass by pass
    >
    > --you have a root acount blocked for security.
    >
    > --you have to use sudo instead. fine
    >
    > --to install, configure, change a setting on the system you must
    > $ sudo whatever
    > and this whatever command has more rights then the commom user.
    > Ok, so what appens right after the comand "sudo whatever" ??
    > a password is asked? who's password?


    man sudo:

    ... Otherwise, sudo requires that users authenticate themselves
    with a password by default (NOTE: in the default configuration
    this is the user's password, not the root password). Once a
    user has been authenticated, a timestamp is updated and the
    user may then use sudo without a password for a short period of
    time (5 minutes unless overridden in sudoers).


    --
    Chris F.A. Johnson, author |
    Shell Scripting Recipes: | My code in this post, if any,
    A Problem-Solution Approach | is released under the
    2005, Apress | GNU General Public Licence

  3. Re: Regarding sudo

    Em Quinta, 12 de Julho de 2007 02:40, Chris F.A. Johnson escreveu:

    > On 2007-07-12, ArameFarpado wrote:
    >> Ok, let's do things pass by pass
    >>
    >> --you have a root acount blocked for security.
    >>
    >> --you have to use sudo instead. fine
    >>
    >> --to install, configure, change a setting on the system you must
    >> $ sudo whatever
    >> and this whatever command has more rights then the commom user.
    >> Ok, so what appens right after the comand "sudo whatever" ??
    >> a password is asked? who's password?

    >
    > man sudo:
    >
    > ... Otherwise, sudo requires that users authenticate themselves
    > with a password by default (NOTE: in the default configuration
    > this is the user's password, not the root password). Once a
    > user has been authenticated, a timestamp is updated and the
    > user may then use sudo without a password for a short period of
    > time (5 minutes unless overridden in sudoers).
    >
    >

    in the default configuration this is the user's password

    Cool, nice , very nice indeed. thanks Chris.

    So now i can continue (but i only be replying tomorrow.. time to bed)

    ok, continuing pass by pass

    --fact, in linux, a program started by a user gains the same previleges as
    the user, if you can write there so can the program, if you can't, so the
    program can't too.

    --fact, you, as a normal user, can read you password, you can even change
    it.

    --fact, at least one user should be a "sudoer", as by default the root
    acount is desabled. let's say it's you... sudoerrrrr
    And more, many guys that install ubunto, kubunto, etc, keep everything in
    default way, and it's common in home users there is just one user registed,
    the sudoer.

    Are you follow so far?

    Now, you are a sudoer, but you are not using sudo now, you don't need to
    write anywhere on the system now, and you are confortable using your system
    as a normal user, you know you should not use sudo except when needed and
    you think your system is protected that way. OK
    BUT!!! if you can do "sudo something" and then gain more previleges with
    your own password, the one you can read and change it, what in hell will
    prevent a program to do the same? if you can read your pass so can programs
    started by you. right? After all, you use a program to access your password
    and change it (at least kde as a program that do this).

    Can't you see that sudo, configured this way, is a nice way to a future and
    possible malware gain previleges? Security goes down the drain...
    This sudo stuff is just a dangerous point waiting to be exploited.

    At least you should use sudo with the root password, then malware would have
    to guess it, as a normal user can not read the root password, and neither
    any program started by the normal user.

    Did i get my point understood ??


    Regards everyone
    ArameFarpado


  4. Re: Regarding sudo

    ArameFarpado writes:
    > if you can do "sudo something" and then gain more previleges with your
    > own password, the one you can read and change it, what in hell will
    > prevent a program to do the same?


    Neither you nor any program can read any password. Passwords are not
    stored anywhere on the system.

    > This sudo stuff is just a dangerous point waiting to be exploited.


    You understand neither sudo nor password authentication.
    --
    John Hasler
    john@dhh.gt.org
    Dancing Horse Hill
    Elmwood, WI USA

  5. Re: Regarding sudo

    On 2007-07-12, ArameFarpado wrote:
    >
    > BUT!!! if you can do "sudo something" and then gain more previleges with
    > your own password, the one you can read and change it, what in hell will
    > prevent a program to do the same? if you can read your pass so can programs
    > started by you. right?


    No, they can't, unless you're stupid enough to store your password on
    diskNo, they can't, unless you're stupid enough to store your password
    on disk..

    > Can't you see that sudo, configured this way, is a nice way to a future and
    > possible malware gain previleges? Security goes down the drain...
    > This sudo stuff is just a dangerous point waiting to be exploited.


    No it's not. sudo can only do what the user explictly allows it to.

    > At least you should use sudo with the root password,


    There's little point to using sudo with the root password, just su instead.

    > Did i get my point understood ??


    If your premise were true, your conclusions would be valid, but your
    premise is false.

    It doesn't matter, anyway, since it's *your* box and you can do what you
    want with it. If you don't want to use sudo, don't.

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me)
    AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


  6. Re: Regarding sudo

    Em Quinta, 12 de Julho de 2007 04:41, John Hasler escreveu:

    > ArameFarpado writes:
    >> if you can do "sudo something" and then gain more previleges with your
    >> own password, the one you can read and change it, what in hell will
    >> prevent a program to do the same?

    >
    > Neither you nor any program can read any password. Passwords are not
    > stored anywhere on the system.

    This is funny, of course they are...

    >> This sudo stuff is just a dangerous point waiting to be exploited.

    >
    > You understand neither sudo nor password authentication.

    Oh really?



  7. Re: Regarding sudo

    Em Quinta, 12 de Julho de 2007 05:27, Keith Keller escreveu:

    > On 2007-07-12, ArameFarpado wrote:
    >>
    >> BUT!!! if you can do "sudo something" and then gain more previleges with
    >> your own password, the one you can read and change it, what in hell will
    >> prevent a program to do the same? if you can read your pass so can
    >> programs started by you. right?

    >
    > No, they can't, unless you're stupid enough to store your password on
    > diskNo,


    Ah right! so my system knows i'm writing my password by magic!
    Even the root password is stored on disk!
    Don't you know you can recover a forgotten root password on any system,
    using a live-cd? I did it once.

    If the password is not stored in disk, then explain how the computer knows
    if i'm writing the right one? does it not going to need to "compare" one
    with the other to see if they match ?

    You're going to say, it's hard to read because it's encripted?
    it's only hard (not impossible) for humans, not programs.


    >> Can't you see that sudo, configured this way, is a nice way to a future
    >> and possible malware gain previleges? Security goes down the drain...
    >> This sudo stuff is just a dangerous point waiting to be exploited.

    >
    > No it's not. sudo can only do what the user explictly allows it to.

    my my...

    >> At least you should use sudo with the root password,

    >
    > There's little point to using sudo with the root password, just su
    > instead.

    how? we're talking about ubuntu here.
    there is no root acount. and every thing is made using sudo, so sudo gives
    access to everything.

    >> Did i get my point understood ??

    >
    > If your premise were true, your conclusions would be valid, but your
    > premise is false.
    >
    > It doesn't matter, anyway, since it's *your* box and you can do what you
    > want with it. If you don't want to use sudo, don't.

    I don't of course, i'm not the one worried, it's ubuntu, kubuntu, xubunto,
    etc users that should be.


    I really like to now what is your ideia about the passwords are not stored
    on disk? where the hell do you think they are?




  8. Re: Regarding sudo

    On 12 Jul, 09:58, ArameFarpado wrote:
    > Em Quinta, 12 de Julho de 2007 04:41, John Hasler escreveu:
    >
    > > ArameFarpado writes:
    > >> if you can do "sudo something" and then gain more previleges with your
    > >> own password, the one you can read and change it, what in hell will
    > >> prevent a program to do the same?

    >
    > > Neither you nor any program can read any password. Passwords are not
    > > stored anywhere on the system.

    >
    > This is funny, of course they are...
    >
    > >> This sudo stuff is just a dangerous point waiting to be exploited.

    >
    > > You understand neither sudo nor password authentication.

    >
    > Oh really?


    Really. We just went through this concerning Subversion
    authentication, with another very excited freshman proclaiming in
    effect, that "wow! Having passwords means they're kept somewhere so
    you can use them! That's bad!".

    Go read Simson Garfinkel's book on UNIX Security. While I disagree
    with many of his conclusions and think he handwaves a lot, he covers
    the basics of how this works.

    If you don't have the time, be clear that users occastionally need to
    do things as root or administrative users. Whatever program is used to
    elevate their privileges, whether it be "su" or "sudo", has to have
    some means of deciding that the user is permitted to do so. This
    usually means passwords: whether it's "su" or "sudo", it has to read
    your password at the command line and do something with it.

    Sudo has a tremendous advantage because it allows fine-grained
    control, to allow users or groups to do very specific operations
    without having to type a password, or control specific users being
    able to do specific tasks as other users without having to become a
    root users in the process. It also allows the user to use their own,
    personal password, rather than having to publish the root password for
    the system.


  9. Re: Regarding sudo

    On 12 Jul, 10:11, ArameFarpado wrote:

    > If the password is not stored in disk, then explain how the computer knows
    > if i'm writing the right one? does it not going to need to "compare" one
    > with the other to see if they match ?


    The computer does not store the key in well built software.
    (Subversion command line clients and a lot of poorly configured jabber
    servers are a notable exception to this, darn it!) The computer stores
    a shape of a lock. It's called "cryptography". The password is stored
    only in encrypted format: if the password you type in is encrypted by
    a similar program and matches the encrypted password, it's detected as
    correct. There are more complex ways to do this, involving exchanging
    public and private keys, but this is the key.

    I have no idea what magic you think you did with your live CD: I
    assume you read the password from somewhere else it was stored.


  10. Re: Regarding sudo

    Em Quinta, 12 de Julho de 2007 11:07, Nico escreveu:

    > On 12 Jul, 10:11, ArameFarpado wrote:
    >
    >> If the password is not stored in disk, then explain how the computer
    >> knows if i'm writing the right one? does it not going to need to
    >> "compare" one with the other to see if they match ?

    >
    > The computer does not store the key in well built software.
    > (Subversion command line clients and a lot of poorly configured jabber
    > servers are a notable exception to this, darn it!) The computer stores
    > a shape of a lock. It's called "cryptography". The password is stored
    > only in encrypted format: if the password you type in is encrypted by
    > a similar program and matches the encrypted password, it's detected as
    > correct. There are more complex ways to do this, involving exchanging
    > public and private keys, but this is the key.

    passwords are stored in /etc/passwd or /etc/shadow, encrypted? yes.
    but the decrypting sequence is also stored in the system, or not even the
    system could read it.


    >
    > I have no idea what magic you think you did with your live CD: I
    > assume you read the password from somewhere else it was stored.

    no idea ? google for "recover root password" and you will find how to do it:

    --computer A had it's root password forgoten.

    --copy files /etc/passwd and /etc/shadow of computer B to a usb-pen.

    --boot computer A with a live-cd.

    --replace existing files on disk with the ones on the pen.

    --now, root password of computer A is the same of computer B

    if there is no 2º computer, that can also be done, example, use a slax
    live-cd, and use it's files... pass root in slax cd is "toor".

    ending, boot recovered computer, set new password for root and for all
    users.


    do you guys think i'm some newbie that doesn't know what is talking about?
    think again...



  11. Re: Regarding sudo

    ArameFarpado wrote:
    > Em Quinta, 12 de Julho de 2007 11:07, Nico escreveu:
    >
    >> On 12 Jul, 10:11, ArameFarpado wrote:
    >>
    >>> If the password is not stored in disk, then explain how the computer
    >>> knows if i'm writing the right one? does it not going to need to
    >>> "compare" one with the other to see if they match ?

    >> The computer does not store the key in well built software.
    >> (Subversion command line clients and a lot of poorly configured jabber
    >> servers are a notable exception to this, darn it!) The computer stores
    >> a shape of a lock. It's called "cryptography". The password is stored
    >> only in encrypted format: if the password you type in is encrypted by
    >> a similar program and matches the encrypted password, it's detected as
    >> correct. There are more complex ways to do this, involving exchanging
    >> public and private keys, but this is the key.

    > passwords are stored in /etc/passwd or /etc/shadow, encrypted? yes.
    > but the decrypting sequence is also stored in the system, or not even the
    > system could read it.


    No.
    As Nico said - the password is NOT stored on the system.
    There is no way to decrypt the information to recover a password.
    (except by brute force password guessing - and you would need to have
    privileged access to the system to do this).

    The system checks that you have entered the correct password, by
    encrypting it in the same way as the key and then checking it matches.

    >
    >> I have no idea what magic you think you did with your live CD: I
    >> assume you read the password from somewhere else it was stored.

    > no idea ? google for "recover root password" and you will find how to do it:
    >
    > --computer A had it's root password forgoten.
    >
    > --copy files /etc/passwd and /etc/shadow of computer B to a usb-pen.
    >
    > --boot computer A with a live-cd.
    >
    > --replace existing files on disk with the ones on the pen.
    >
    > --now, root password of computer A is the same of computer B
    >
    > if there is no 2º computer, that can also be done, example, use a slax
    > live-cd, and use it's files... pass root in slax cd is "toor".
    >


    So - you haven't recovered the password.
    You have replaced it with a new one.


    JohnT

  12. Re: Regarding sudo

    Em Quinta, 12 de Julho de 2007 11:03, Nico escreveu:

    >> > You understand neither sudo nor password authentication.

    >>
    >> Oh really?

    >
    > Really. We just went through this concerning Subversion
    > authentication, with another very excited freshman proclaiming in
    > effect, that "wow! Having passwords means they're kept somewhere so
    > you can use them! That's bad!".
    >
    > Go read Simson Garfinkel's book on UNIX Security. While I disagree
    > with many of his conclusions and think he handwaves a lot, he covers
    > the basics of how this works.
    >
    > If you don't have the time, be clear that users occastionally need to
    > do things as root or administrative users. Whatever program is used to
    > elevate their privileges, whether it be "su" or "sudo", has to have
    > some means of deciding that the user is permitted to do so. This
    > usually means passwords: whether it's "su" or "sudo", it has to read
    > your password at the command line and do something with it.
    >
    > Sudo has a tremendous advantage because it allows fine-grained
    > control, to allow users or groups to do very specific operations
    > without having to type a password, or control specific users being
    > able to do specific tasks as other users without having to become a
    > root users in the process. It also allows the user to use their own,
    > personal password, rather than having to publish the root password for
    > the system.

    you didn't get the point yet...

    sudo may be fine in debian, gentoo, etc... as it has limited power (or might
    have, depending how it's configured) regarding to the root acount. even
    there, i don't recommend using it whit the same password as user login.
    but in ubuntu it's sudo that does everything, don't tell me it has limited
    power because it doesn't. and there is no root acount (blocked by default).

    kde has a program that a normal user can set and change his password without
    knowing the root password, so don't tell me that only root can set
    passwords. every user can set its own password
    when using that program to change the password, first the user is asked to
    type the actual password, and that program can check if the typed pass
    match the stored pass to move on... if this program can do it, why can't
    others ?


    in case of a sudoer (dont' forget i'm talking about default conf of ubuntu),
    it is his OWN (and the same) password that is asked when using sudo.

    working sudo in a console, the pass is asked in the same konsole, there
    isn't a windowed popup visible to the user like it appens using kdesu.
    a lot of programs use console command when working and you don't see them:
    k3b pass the burning jog to wodim and wodim pass the reports to k3b,
    without the user see them.
    The same will appens if a program call sudo in background, where is the pass
    asked? to the program that made the call.



    i can't believe you guys don't see a exploit here, well i do, and a big one.

    imagine a trojan changing your own pass to "cracked" and start using sudo...
    if you are a sudoer, your in big trouble.. the trojan can do whatever he
    like...


    regards




  13. Re: Regarding sudo

    Em Quinta, 12 de Julho de 2007 13:26, John Taylor escreveu:

    > As Nico said - the password is NOT stored on the system.

    Wrong...it is just not stored the way you have typed it.

    the pass is stored encrypted and also the encrypting sequence... now add
    2+2.

    > There is no way to decrypt the information to recover a password.
    > (except by brute force password guessing - and you would need to have
    > privileged access to the system to do this).
    >
    > The system checks that you have entered the correct password, by
    > encrypting it in the same way as the key and then checking it matches.

    once having the encrypting sequence, you can encrypt and decrypt if youdo
    sequence in backwords.

    >> if there is no 2º computer, that can also be done, example, use a slax
    >> live-cd, and use it's files... pass root in slax cd is "toor".
    >>

    >
    > So - you haven't recovered the password.
    > You have replaced it with a new one.

    Course, do you imagine the trouble that is for a humam to decrypt a
    password? while software can do it in microseconds...
    for a humam, it is easier to change it without having to know the old one,
    and the result is the same.


  14. Re: Regarding sudo

    Nico writes:
    > The password is stored only in encrypted format...


    The password is _not_ stored in encrypted form. A _one-way hash_ of the
    password is stored. This hash does not contain enough information to
    regenerate the password.
    --
    John Hasler
    john@dhh.gt.org
    Dancing Horse Hill
    Elmwood, WI USA

  15. Re: Regarding sudo

    ArameFarpado writes:
    > passwords are stored in /etc/passwd or /etc/shadow, encrypted?


    No. A one-way hash of each password is stored.

    > but the decrypting sequence is also stored in the system, or not even the
    > system could read it.


    The password cannot be recovered from the one-way hash. It does not
    contain enough information. The system hashes the password you type in
    with the same algorithm that was used to generate the stored hash and
    compares the two hashes.

    > ending, boot recovered computer, set new password for root and for all
    > users.


    You did not recover the password. You replaced it with a new one.
    --
    John Hasler
    john@dhh.gt.org
    Dancing Horse Hill
    Elmwood, WI USA

  16. Re: Regarding sudo

    John Taylor escreveu:
    > As Nico said - the password is NOT stored on the system.


    ArameFarpado writes:
    > Wrong...it is just not stored the way you have typed it.


    Only a one-way hash is stored.

    > once having the encrypting sequence, you can encrypt and decrypt if youdo
    > sequence in backwords.


    Not true. The hash algorithm destroys information. The hash does not
    contain enough information to reconstruct the password. This is all well
    documented on-line. Please go and read up on it.
    --
    John Hasler
    john@dhh.gt.org
    Dancing Horse Hill
    Elmwood, WI USA

  17. Re: Regarding sudo

    ArameFarpado wrote:
    > Em Quinta, 12 de Julho de 2007 13:26, John Taylor escreveu:
    >
    >> As Nico said - the password is NOT stored on the system.

    > Wrong...it is just not stored the way you have typed it.
    >
    > the pass is stored encrypted and also the encrypting sequence... now add
    > 2+2.


    So you you haven't heard of asymmetric encryption, message digests or
    checksums ?



    >
    >> There is no way to decrypt the information to recover a password.
    >> (except by brute force password guessing - and you would need to have
    >> privileged access to the system to do this).
    >>
    >> The system checks that you have entered the correct password, by
    >> encrypting it in the same way as the key and then checking it matches.

    > once having the encrypting sequence, you can encrypt and decrypt if youdo
    > sequence in backwords.
    >


    You are just making yourself look more stupid every time you post.

    I suggest you get a good book on linux security and do some research
    before you post again.

    Many websites publish downloads along with an MD5 checksum
    e.g.:

    http://security.debian.org/dists/sta...slink2.diff.gz
    MD5 checksum: 606f893869069eee68f4c1e31392af29

    You run a checksum program on the downloaded file, and check that it
    matches the supplied MD5 checksum key.

    Thats the same way that linux checks your password.

    If, as you say you can decrypt the stored key, to get the original
    password, please decrypt the following MD5 checksum:
    59afe4be5fcd17c20d241633a4a3d0ac

    It is source code, so you will be able to tell that you are getting
    close when you see plain text appearing.

    The MD5 algorithm, and many sample implementations are published all
    over the net, so this shouldn't give you any trouble.

    now add 1+1 - you seem to be struggling with 2+2


    JohnT

  18. Re: Regarding sudo

    ArameFarpado writes:
    > ...there is no root acount (blocked by default).


    There is a root account. It is root logins that are blocked.

    > when using that program to change the password, first the user is asked
    > to type the actual password, and that program can check if the typed pass
    > match the stored pass to move on... if this program can do it, why can't
    > others ?


    Any program can test the validity of a given password. That doesn't matter
    because finding a valid password by trial and error would take a billion
    years.

    > i can't believe you guys don't see a exploit here, well i do, and a big
    > one.


    This system was developed more than forty years ago by the guys that
    developed Unix. The only change made during that time was the introduction
    of /etc/shadow. Think about it.

    > imagine a trojan changing your own pass to "cracked" and start using
    > sudo...


    The program cannot change your password without already knowing it. It
    cannot know your password unless you tell it.
    --
    John Hasler
    john@dhh.gt.org
    Dancing Horse Hill
    Elmwood, WI USA

  19. Re: Regarding sudo

    On Thu, 12 Jul 2007 08:05:17 -0500, John Hasler wrote:

    >
    > Any program can test the validity of a given password. That doesn't matter
    > because finding a valid password by trial and error would take a billion
    > years.
    >


    >

    Pardon me for butting in, but I only want to add one clarification to what
    you have written above. Cracking a password by trial and error _can_ take
    a long time, that is, if the password has been properly chosen. A password
    that is not properly chosen might be easy to break, using a dictionary
    attack, etc. There are guidelines online which explain how to choose a
    difficult to crack password. The passwd program I have used must do some
    checking before setting the password, because the message, "Warning, weak
    password" will popup if the password doesn't meet the requirements.

    You also alluded to the 40 year history of the *nix system security,
    which was designed with multiple users in mind from the beginning.

    I have summarized a few of the key principles of *nix system security that
    I have learned so far.

    1. A normal user cannot damage the critical system files. Damage done by
    users will be confined to his own files.

    2. Sudo (and su users) should be educated to understand and follow good
    security practices (have a good password, only use root "power" when
    necessary, etc.) The root account is capable of causing great damage
    to the system, including total destruction of the filesystem.

    3. The *nix system protects critical system files from unauthorized access
    by the non-root users of a system while the system is operating. The
    file /etc/shadow has permissions which prevent simple users from reading
    its contents, except for root. AIUI, the login service is started by root
    at boot. That service reads /etc/shadow and uses it to authorize new users.

    4. The system can deploy a newtork firewall to protect network services
    from unauthorized access. Rate limited firewalls are useful in stopping
    brute force attacks.

    5. Prohibit simple password authentication via ssh. The public/private
    keys used by ssh for certificate authentication is preferable to passing
    passwords or password hashes over a network.

    6. Protect system backups. The complete system backup may be vulnerable
    to theft while it is in storage. For this reason, encrypting backups is a
    good idea, IMO.


    Again, this is not a comprehensive list, just some things that came to
    mind, off the top of my head.

    --
    Douglas Mayne

  20. Re: Regarding sudo

    Em Quinta, 12 de Julho de 2007 13:53, John Taylor escreveu:

    > You are just making yourself look more stupid every time you post.

    hey wowwwww, don't start being rude cause i can do that too... believe it.

    >
    > You run a checksum program on the downloaded file, and check that it
    > matches the supplied MD5 checksum key.
    >
    > Thats the same way that linux checks your password.
    >

    wait... i've been lunching, thinking and after that, done some tests...

    ok, i was WRONG in a point, but NOT in the way YOU point:

    one thing at a time... your point first

    don't compare those md5sum to the encrypted passwords, ok?, because:

    --one side we have a 1gb image ashed to a 40 caracter string, it is not
    possible to place all the info in that string (compression would be more
    efective then), so there is got to be lots and lots of diferente 1gb
    imagens that generates the same summary string.

    --the other side whe have passwords, and they are small strings, and let's
    face it, we can't have 1000 diferent passwords all generating the same hash
    can't we? would that be secure? no way!
    so, picking up a hash and turning it up-side-down, won't give you the
    password but it nerrows it to a small list of possibilities.

    don't tell me it can't be done, because if it wore true, there wore no such
    thing as password cracker programs, and i have a few for winblows and
    password protected documents... it takes a few seconds to crack a password
    of a MsOffice Word document, that is also encrypted.



    now! what did i misregard?...
    the kde program that changes user password that i've write before can not
    read the password hash... no program i start can do it because i can't
    read /etc/shadow and in /etc/passwd there is not a single hash anymore...
    and if i can't read the shadow file, none of my programs can do it.
    instead there is a program named "logger" running since boot with root
    permissions, and i guess that the kde program just sends the typed string
    to logger and logger returns the result (positive ou negative). (too bad i
    can't see what is going on between programs even if i start kcontrol in the
    console).
    So, ok, there is a strong step to bypass here, my program does not read the
    hash, it simply asks logger if the password is correct.
    So, a trojan would have here a strong barrier to bypass, unless it acts
    before like a spyware registing every typing the user typed before, even
    than it would have a lot of possibilies to try out.

    by the way, do we have a point when a user acount is blocked because of bad
    paswords? if so, how many wrong passwords are needed?
    I know windows does this after 3 or 5 wrong passwords, but never seen linux
    do it...


    Now, let's go back to man sudo because there is another point to discusss:
    ""Once a user has been authenticated, a timestamp is
    updated and the user may then use sudo without a password for a short
    period of time (15 minutes unless overridden in sudoers).""

    Once a sudoer uses sudo, he can do it again without password for some
    time...

    During this time, the trojan have a window of opportunity, and it only needs
    it once, since after gaining root previledges, he can change the user
    password then... don't forget that root can change users passwords without
    knowing them (i had to do that in my kids pc more than once, when they did
    mess around with there own passwords).
    Even not changing the password, during this time a trojan can change init,
    script booting sequence, settings, whatever... use your imagination...

    Regards



+ Reply to Thread
Page 1 of 3 1 2 3 LastLast