More PATH fallout. Who decided this was a good idea?
Les Mikesell
lesmikesell at gmail.com
Mon Dec 8 17:27:06 UTC 2008
Stephen Gallagher wrote:
>
> Les Mikesell wrote:
>> Is attempting an access that the kernel routinely prevents considered a
>> violation? That is, if I type 'file /etc/*' on such a system should I
>> expect the black helicopters to start firing? I don't see how accesses
>> that are denied matter to anyone - or why anyone running the
>> shadow-tools utility without permission to access the relevant files
>> should bother anyone either.
>>
>
> Actually, yes. There are environments in which an administrator may set
> up heuristics to determine whether a user is attempting to probe the
> system for vulnerability. In the systems like this I've seen, one very
> common action to note is failed attempts by users to execute processes
> in /sbin or /usr/sbin. Seeing the same user attempt to execute every
> binary in one of those folders could be a clear sign that they are
> probing for misconfigurations to take advantage of.
But shouldn't the effort go toward making sure that there are no
vulnerabilities to take advantage of at all? If they aren't setuid, one
binary can't do anything that any other binary/interpreter can do. I
could understand tracking anything setuid but why bother with anything
else? You can access (or fail to access) all the same files/devices the
same way with shell redirection.
--
Les Mikesell
lesmikesell at gmail.com
More information about the fedora-devel-list
mailing list