Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!zaphod.mps.ohio-state.edu!samsung!think!cayman!peter From: peter@cayman.COM (Peter Schmidt) Newsgroups: comp.unix.wizards Subject: Re: NFS Security Problems - What are they? - Can they be fixed? Summary: Even kerberos security only goes (used to?) so far Keywords: mrroot can be your friend Message-ID: <4166@cayman.COM> Date: 1 Dec 89 02:11:11 GMT References: <21550@adm.BRL.MIL> <1989Nov29.091254.5357@athena.mit.edu> Reply-To: peter@cayman.UUCP (Peter Schmidt) Followup-To: comp.unix.wizards Distribution: na Organization: Cayman Systems Lines: 80 In article <1989Nov29.091254.5357@athena.mit.edu> jik@athena.mit.edu (Jonathan I. Kamens) writes: [several well-illustrated paragraphs on two common NFS security problems] > Example (yes, another one :-): We have over 1000 private >workstations at Project Athena. They all have the root password >'mrroot'. Everybody (including everybody reading this message :-) >knows that root password. So what? All services outside of the >workstation are Kerberos-authenticated, so becoming root on the >workstation is not a gain in access. It does, however, enable people >(if they are smart enough to know how; then again, we have a saying >here at MIT that "security by obscurity is no security") to do nasty >things to other sites that do respect root privileges, like the NFS >hacks described above. > Does Kerberos do *all* authentication, or does it concern itself solely with logins? I ask because I had all my files (including bachelor's thesis data) 'rm -r'd by a cheesey little hacker (perjorative meaning here) from my dorm at MIT. That was in the spring of 1988, in the Next House Athena Cluster. Looking at the tracks the custard-head left behind - from lastcomm and my .history (!) - it seems he used the following procedure: 1) He noted that I was logged into a workstation remotely (not encouraged at Athena, but possible with the cooperation of someone at the console. I had logged in on the console, enabled remote login, and gone to my lab, where I logged in remotely to run some trials. Evidently, I was logged out of the console by someone soon after I left.) 2) He su'd to root with the 'mrroot' password. 3) He su'd *to me*. 4) He typed 'rm *', and when this didn't accomplish his goal, he did a 'man rm'. (I'd be laughing now, but it still makes me mad.) 5) He typed 'rm -r *', did an 'ls' to check his success, and then typed 'logout'. 6) He typed 'exit', and logged out of the workstation. Note that the success of this attack hinged on step 3, and this is where my question comes from. When I examined the /etc/passwd on the machine, I found my complete entry had been downloaded. I assumed at the time (someone from Athena feel free to elucidate) that Kerberos downloads the /etc/passwd entry at login time, so that it won't have to be bothered with authentication requests from 'su's, and so that code that expects to find data in /etc/passwd doesn't break. I find this to be a rather large hole for a system that touts its security. And note that the attacker was not particularly smart - his grasp of Unix didn't extend much beyond 'rm', 'ls' and 'su'. Please understand that this isn't a flame at the Athena folks - I was manager of the Next House Cluster, and I highly respect the people in charge of the zoo. When I reported the attack, several people helped track down what happened, and they made a special effort to retrive my files from tape (they weren't all there, but another weekend with the 11/750 in the lab reproduced the thesis data). Techniques for secure distributed computing systems exist, but they are uniformly computationally expensive, since they rely on public-key encryption. Sun will sell you a secure NFS, but even with a DES chip to do the hard work, it is still a lot slower than the standard version. I kind of see that as an evolutionary constraint that encourages maturity in the network community - if we cooperate and are polite, then everyone wins (Gorbachev networking ;-). It's worked pretty well so far. Regards, Peter H. Schmidt, MIT c/o '89 (P.S. for those of you wondering, I didn't haul the guy up on charges because all we had/have is circumstantial evidence, and though I would have loved to have him charged under Federal law, I had a *thesis* to finish. I haven't forgotten, though...) Cayman Systems Inc. | peter@cayman.com 26 Landsdowne St. | ...harvard!mit-nc!winter!pschmidt Cambridge, MA 02139 | (617) 494-1999 | -- Speaking for myself. -- Cayman Systems Inc. | peter@cayman.com 26 Landsdowne St. | ...harvard!mit-nc!winter!pschmidt Cambridge, MA 02139 | (617) 494-1999 | -- Speaking for myself.