Re: Small Bug

To: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Cc: "Guy's Account" <guy@interlog.com>, =?x-unknown?q?Niels_M=F6ller?= <nisse@lysator.liu.se>, dallen@capitalone.com, debian-hurd@lists.debian.org, recipient list not shown: ;
Subject: Re: Small Bug
From: Gregory Ade <gkade@bigbrother.net>
Date: Wed, 15 Mar 2000 11:44:18 -0800 (PST)
Message-id: <[🔎] Pine.LNX.4.10.10003150946460.12529-100000@kanga.azure-n-jade.vpn.tadma.net>
In-reply-to: <[🔎] 20000315154042.A1012@ulysses.dhis.net>

On Wed, 15 Mar 2000, Marcus Brinkmann wrote:

> > This is wrong.
> > The "model" is that an external user does NOT have access to the full
> > list of user names.
> 
> No. This is not the usual Unix secuity model. If you have users with
> shell account, /etc/passwd is a file readable by the public. This file
> contains the user names.

I believe he meant, that a user of a foreign system, without access to the
targetted system, shoudl not be able to find out anything about accounts
on the targetted system.  Currently, such a user could simply walk up to a
login> prompt on a hurd box and get the same information that any valid
user on the hurd box could get.

I would understand that to be a security threat.  Just 'cause they don't
get the passwords ('cause they're either crypted or in /etc/shadow)
doesn't mean they still don't have any information on how to compromise
the box.

Having a user name is an important step in cracking an account open.

> What you suggest is a mail server without shell access. Only in this
> restricted case you can make the point that user names should not be
> leaked. But this is a very special setup, which is far beyond the
> purpose of a general software distribution like Debian is.

Yes and no.  Debian can be configured to be such (as, really, can any
distribution), but it's not Debian's primary intent, IMHO.  Personally, as
a sysadmin, I don't really see a problem with having e-mail addresses
consist of real names and usernames consist of some other combination.
I.e.: I don't see any problem (save ease of administration) with having my
username being gkade and my email being Gregory.Ade@someplace.com.  It's
just simpler not to.  Now, whether or not it's helpful to security is
another issue.

> > All non-user accounts are locked and accessible only via 'sudo'.
> You must not have user accounts if you are paranoid.

Wouldn't "non-user" accounts be things like daemon, bin, adm, and such?

> Do you force people to use scrambled user names like "sdj1A.f"?

God, I hope not.  It's bad enough when people put their passwords on
sticky-notes on their monitors, but giving them a username that looks like
an auto-generated password would be about as effective as not having
passwords in the first place.  The cleaning crew could log in and do some
serious damage, just by reading all the sticky-notes on people's monitors.

At any rate, I have to admit, too, that having a login shell is a bit of a
twist from the traditional way of doing things.  I am beginning to
understand that part of the purpose of the Hurd is to get rid of old
habits.  However, I can understand when you really don't want to divulge
any information at all at the login prompt.  One prime example would be at
a University computing lab.  In my experiences, students are always trying
to figure out a way to get access to resources they aren't supposed to
have.  This was almost trivial on the windows networks, because of poor
security, but much more difficult in the unix labs.  Sure, students that
already had user accoutns on the unix systems could get account
information, but students who didn't have access and wanted to try hacking
had nowhere to start from.  In this environtment, having a login> shell
prompt would give away too much information, IMHO, especially since most
computer labs I've seen aren't supervised unless there's a class in
session. (you had to check in and out of the lab complex through one door,
though.)

Sorry for the long-winded message... Basically, I think it boils down to
the fact that different people have different methods of making it more
difficult for someone to hack a machine.  Not giving attackers any clues
about user accounts is a good first step.  Lots of other things need to be
done, too, though, to really secure a system.  However, a lot of people
give up if it's not easy enough.  So long as we can switch out or modify
the login method, I dont' think it really matters *how* the console
presents itself (having not yet installed telnetd, I don't know what it
looks like when you telnet to a hurd box)

-- 
Gregory Ade <gkade@bigbrother.net>
Find PGP public key at http://www.pgp.com (Key ID 0x63B57600)
#include <standard/disclaim.h>
procmail(1) is your friend.

Reply to:

Follow-Ups:
- Re: Small Bug
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: Small Bug
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>

References:
- Re: Small Bug
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>

Prev by Date: Re: Hurd user survey results
Next by Date: Re: Small Bug
Previous by thread: Re: Small Bug
Next by thread: Re: Small Bug
Index(es):
- Date
- Thread