On Sun, Jan 16, 2005 at 10:36:46PM +0200, Stefanos Harhalakis wrote: > On Sunday 16 January 2005 22:24, Justin Pryzby wrote: > > On Sun, Jan 16, 2005 at 09:51:44PM +0200, Stefanos Harhalakis wrote: > > > Package: login > > > Version: 1:4.0.3-30.7 > > > Severity: critical > > > Tags: security > > > Justification: root security hole > > > > > > > > > It seems that /var/log/btmp is created as a world readable file. > > > This is insecure (and it is reported by 'tiger') because this file > > > contains failed logins , including unknown usernames. > > > > Aren't the usernames alwyas visible in /etc/password? > > > > > It is possible for a user to see the root password (and others too) > > > by running /usr/bin/lastb. > > > > lastb isn't show me any passwords; just valid usernames as seen in > > passwd and dates. > > It also contains unknown usernames. Really?
$ strings /var/log/btmp UNKNOWN pryzbyj root UNKNOWN $ lastb UNKNOWN Sun Jan 16 15:40 - 15:40 (00:00) root Sun Jan 16 15:21 - 15:21 (00:00) pryzbyj Wed Jan 12 13:25 - 13:25 (00:00) UNKNOWN Wed Jan 5 11:22 - 11:22 (00:00) btmp begins Wed Jan 5 11:22:54 2005 Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]