Quoth FRIGN:
> Before he gets in, he still has to run a brute-force/dictionary-att. on
> all users. He wouldn't have much time if the admins have done their
> jobs.
Well no. Think about sysadmins who have to allow users to run crappy
PHP code on a shared server (so glad I'm not one of those people at
the moment). An attacker can execute commands as a web user,
probably far easier than brute-forcing an initial login. If they can
then just copy a world readable /etc/passwd, they can do all the
hash cracking offline. Which isn't possible if there's a /etc/shadow
file that's unreadable to a web user. Unless I'm missing something,
that's the value of the shadow system in a modern environment, when
coupled with the problem that you can't necessarily trust that all
users have very strong passwords. Plus your idea of what constitutes
a 'strong' password is probably quite a few years out of date. I
read a fun article on Ars Technica about about how brute-force
cracking is done nowadays; it's pretty smart!
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
> Moreover, with less and less suid-programs in the base, root-exploits
> become more and more unlikely and attacks nowadays are more directed at
> system-services from the outside.
That certainly seems to be true. After all, why get root on paypal's
servers; the money is in any account that can access their database,
which (probably at some levels of remove) is just an 'unprivelaged'
web user.
Nick
Received on Wed Jun 04 2014 - 18:22:04 CEST