begin quoting Rachel Garrett as of Wed, Apr 20, 2005 at 01:16:44PM -0700: > On 4/20/05, Stewart Stremler <[EMAIL PROTECTED]> wrote: > > begin quoting Rachel Garrett as of Wed, Apr 20, 2005 at 11:50:27AM -0700: > > > > I am confused. If these single-user systems get attacked and > > > compromised while they're running as root, the attacker can do a lot > > > more to the system > > ^^^^^^ > > That's a key word. > > > > The user _doesn't_ care about the *system*. That's easy to replace. > > If they know it needs replacing, sure. Knowing or not doesn't make it any harder.
> > The user _does_ care about their *data*. That's not easy to replace. > > > > If the attacker trashes the user's data, it doesn't matter what > > happens to the system. > > It matters to the attacker, who would probably love to keep the system > looking "intact" to the user. But if that's the intent, it doesn't matter what access the intruder has. In fact, if we resort to 'likely' scenarios, giving the attacker full access means that they're "more likely" to ignore the user's data; if they're restricted to _just_ the user's account, about all that's interesting to do there is to _mess_ with the user's data. I really don't like bringing in probability in this way. It really hurts my *preferred* stance, which is to lock things down and practice good habits. > > If the attacker trashes the system *and* the user's data, it's no > > worse than trashing just the data. > > Well, now we're assuming an even more specialized case, in which this > attacker is simply going to wreak havoc and make it obvious that he's > done so. I don't think most attacks fall into this category. Depends on the environment. Before it was so easy to compromise MSWindows boxes, viruses and trojans routinely trashed the systems instead of co-opting them. (And not accidently.) > > (The counter response seems to be 'well, the user does not have any > > useful data anyway', but that's insulting to the user and arrogant > > on our part. > > Look, Toto--it's a man! A man made out of *straw*! Well, yes, that counter-response is pretty straw-like. But it *was* raised, in all apparent seriousness. [snip] > > When you check for a compromised system, you _ought_ to do so by booting > > from clean media; if you trust anything on the potentially compromised > > disk, you're fooling yourself. Failure to find evidence using > > potentially compromised tools is not proof; neither is it all that > > compelling as an indication. > > I thought we were talking about the sort of people who most likely > aren't even going to be running checks on their system. If all that's If they're not going to check, then what does it matter? > been compromised is a user account, then the attacker can't go in and > change stuff that the user would notice. Actually, you can change a lot of stuff and if you weren't incompetent as an intruder, the (single) user would likely not notice. _OTHER_ users on the system might notice stranges extra processes showing up in the process list. But there aren't any on the system in question. The administrator might see that the compromised user is encroaching on his quota, but there isn't a real administrator. > You don't have to be THAT > bright to say, "Hey, this says I last logged in yesterday. I didn't > even get on the computer yesterday. What's up with that?" Why would they see that? Remember, this attacker managed to compromise your user account -- which means that you did something unsafe, like run untrusted code. So they're running as you, and started doing so while you were logged in. (Or are we talking about posting your password to your web-page by accident? That's an entirely different sort of compromise.) > > Plus, if you compromise the only user-account on the system, you can > > also hide the evidence from _that_ user -- > > But it's harder to do. Not _that_ much harder. Really. In fact, it may be *easier* than the let's-hide-evidence-as-root case. > > > This has been pointed out here more than once. Why is this > > > *not* a refutation of the idea that there's no security problem > > > running as root in a single-user system? > > > > Because *any* compromise of a single-user system is effectively a full > > compromise, so far as the user in question is concerned. > > Assuming they know about it? Whether or not they know about it, it's still effectively a full compromise. -Stewart "When the user uses sudo or su, the intruder gets root!" Stremler
pgp9EpQy14Euh.pgp
Description: PGP signature
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
