[CentOS] Another Fedora decision

Wed Feb 4 22:55:32 UTC 2015
Warren Young <wyml at etr-usa.com>

> On Feb 4, 2015, at 3:16 PM, Lamar Owen <lowen at pari.edu> wrote:
> 
> On 02/04/2015 04:55 PM, Warren Young wrote:
>> Unless you have misconfigured your system, anyone who can copy /etc/shadow already has root privileges. They don’t need to crack your passwords now. You’re already boned. 
> 
> Not exactly.
> 
> There have been remotely exploitable vulnerabilities where an arbitrary file could be read

CVEs, please?

I’m aware of vulnerabilities that allow a remote read of arbitrary files that are readable by the exploited process’s user, but for such an exploit to work on /etc/shadow, the process has to be running as root.

Most such vulns are against Apache, PHP, etc, which do not run as root.

One of the biggest reasons for the mass exodus from Sendmail to qmail/exim/postfix/etc was to get away from a monolithic program that had to run as root to do its work.

> If you can somehow ...get, say, httpd to return a copy of /etc/shadow

httpd doesn’t have permission to read /etc/shadow, two ways.  First, it’s not running as root, and second, you’re running SELinux, *RIGHT*?  The default configuration of SELinux on CentOS won’t let httpd read *anything* outside its normal service directories.

But of course the same people fighting this move to more secure password minima are the same ones that turn off SELinux.

> Now, I have seen this happen, on a system in the wild, where the very first thing the attacker did was grab a copy of /etc/shadow...
> 
> Further, lists of usernames and passwords have market value.

Of course.  But that’s a different thing than we were discussing.