A security question pertaining to disabling the root login. [SOLVED]

hiushoz · 2011-01-09 21:48:49

I've recently been configuring sudo and came across the following piece of advice:
https://wiki.archlinux.org/index.php/Su … root_login
After making my normal user a full fledged sudoer I followed the advice in the link above.

passwd -l root

worked beautifully without problems in spite of the warnings.

However on a hunch after going

ls -l /etc/passwd

I was dismayed to see that the permission of the file was 644 with owner root. Shouldn't the permission be 640? Otherwise why would a cracker try to guess who is a sudoer when you can look at /etc/passwd and see myname in the entries and go like "OK root's disabled this is the only other human user lemme see if I can crack this..."

Like I would have changed the permission on etc/passwd to 640 but since I'm far from an expert I want to know if this is safe to do/are there any unintended consequences for doing so. Furthermore even if I can do that the cracker will then proceed to search for all users who are members of the wheel group. I don't know what command would do this but clearly there must be a way the OS keeps track of which group has which members. Even if it's possible to safely change the permission of etc/group to 640 or 600 I don't think it's a good idea cause the cracker will still attempt to find all members of the wheel group because wheel is universal to Linux.

My next worry is /etc/shadow. The good news is the permission there is 600. However there may be other files which can give away my username to the cracker besides /etc/passwd and /etc/group. If so what are they. Can they be safetyed?

All in all was disabling root a good idea. I still want my normal user to have sudo powers for convenience. But even so if I am right about /etc/passwd then following the advice there simply makes the job one step longer for el cracker muy malo. Can you guys clue me in as to whether or not /etc/passwd can be safetyed without consequence and what is going on with this whole thing.

Last edited by hiushoz (2011-01-10 05:08:03)

skunktrader · 2011-01-09 22:14:13

hiushoz wrote:

Furthermore even if I can do that the cracker will then proceed to search for all users who are members of the wheel group. I don't know what command would do this but clearly there must be a way the OS keeps track of which group has which members.

grep wheel /etc/group

sisco311 · 2011-01-09 22:26:28

Why would you allow a cracker to login in the first place?

hiushoz · 2011-01-09 22:38:43

Sisco I wouldn't let a cracker log in. Nonetheless these things do happen. Like once I was sitting there minding my buisness from a Mandriva install when all of a sudden the firewall in the system tray alerts me that someone was attempting a port scan of my computer. Needless to say I was scared so I chose the blacklist option.

What I'm just trying to understand is how much more secure disabling the root login makes you. Sure a cracker would need to find the name of someone who is a sudoer and crack their account first but if finding the name of the sudoer is trivial then there was no good reason to disable the root account accept for the fact that one user with administrative power is better than two.

Also can I change the permissions of /etc/passwd and /etc/group from 640 to 600 without unintended consequences?

Last edited by hiushoz (2011-01-10 03:31:10)

dyscoria · 2011-01-09 22:59:16

Portscans are pretty harmless if you aren't running any services (e.g. Apache, sshd) . Run a firewall.

Are you the only user on your system? You say that you are worried a cracker will be able to find a username using files on the system.... but to access these files they need to be logged in

hiushoz · 2011-01-09 23:09:26

dyscoria so what you're saying is that even if I change the permissions of /etc/passwd and /etc/group to 646 that to see the files they need to be logged in ok. But if I understand the permissions system correctly doesn't the third number dictate access for people that aren't the owner or part of the owners group? Can you explain please?

dyscoria · 2011-01-09 23:28:35

man acl

Again, an attacker would need to be logged in to access files.

Also, you should search google for whether changing the permissions for these files is a good idea or not.

ktemkin · 2011-01-10 02:23:14

I don't think you'll be able to change the permissions without error. If I'm not very much mistaken, several user-space programs (like xterms) read that to determine what your preferred shell is.

But if I understand the permissions system correctly doesn't the third number dictate access for people that aren't the owner or part of the owners group?

Yes, that's correct. However, there's no mechanism for them to view the files. Users can't execute processes (including the shell and its commands) unless they've either logged into your computer or found an exploit somewhere. In the event that they've found the exploit, they're most likely already running in either kernel mode or as root, so your security has already been compromised.

You're probably confused because of the oft-used terminology 'world readable'. In reality, that means any local user.

Why would you allow a cracker to login in the first place?

I think this about sums it up, though I would like to elaborate on what's really being said here. There are several ways to give a cracker access to your computer; the most obvious being granting them a user account and letting them sit at your keyboard. When you run a script or binary written by someone else, it's very close to the same thing. The program you're running can do everything you can.

Just as you wouldn't let someone you don't trust sit at your keyboard, you should only run scripts and binaries from users you trust, at least until you've gathered enough skill to scrutinize their contents. By installing the Arch distribution, it seems you already trust Arch and its repositories, so I wouldn't worry so much about those binaries.

Otherwise why would a cracker try to guess who is a sudoer when you can look at /etc/passwd and see myname in the entries and go like "OK root's disabled this is the only other human user lemme see if I can crack this..."

This is silly, for a number of reasons:

1) As above, the user would need to already be logged in as a local user.
2) There are dozens of other places where you can find lists of local users. Even if you were to change the permissions there, a cracker could easily find a list of probable human users by:
-Listing the contents of /home/.
-Reading the file /etc/group; this if anything is even more dangerous, as it hints at which users have administrative rights.
3) You're trying for security through obscurity. Instead of hiding the usernames, you should attempt to remove any vulnerabilities that would make knowing a username useful.

Perhaps you'd be better off preventing a brute force attack by monitoring /var/log/auth.log, perhaps with something like Fail2Ban?

Last edited by ktemkin (2011-01-10 02:23:38)

hiushoz · 2011-01-10 05:05:57

ktemkin thanks for the good explanation.

admiralspark · 2011-01-10 07:10:49

As mentioned before, if you're afraid of getting cracked by someone attempting electronic access to your computer, you should be running a firewall and keeping an eye on its log(s). If you're worried about someone who could obtain physical access to your computer, well, any decent cracker wouldn't bother trying to boot into your system---just like any one of us trying to recover a bordked windows install, this person could use a live linux cd/usb to access the filesystems/copy over the contents/leave with the files which they can then chmod (etc.) at their leisure. If you're worried about sensitive data falling in the wrong hands, *encrypt your system!*

Arch Linux

#1 2011-01-09 21:48:49

A security question pertaining to disabling the root login. [SOLVED]

#2 2011-01-09 22:14:13

Re: A security question pertaining to disabling the root login. [SOLVED]

#3 2011-01-09 22:26:28

Re: A security question pertaining to disabling the root login. [SOLVED]

#4 2011-01-09 22:38:43

Re: A security question pertaining to disabling the root login. [SOLVED]

#5 2011-01-09 22:59:16

Re: A security question pertaining to disabling the root login. [SOLVED]

#6 2011-01-09 23:09:26

Re: A security question pertaining to disabling the root login. [SOLVED]

#7 2011-01-09 23:28:35

Re: A security question pertaining to disabling the root login. [SOLVED]

#8 2011-01-10 02:23:14

Re: A security question pertaining to disabling the root login. [SOLVED]

#9 2011-01-10 05:05:57

Re: A security question pertaining to disabling the root login. [SOLVED]

#10 2011-01-10 07:10:49

Re: A security question pertaining to disabling the root login. [SOLVED]

Board footer