On Wed, 4 Jun 2014 12:22:04 -0400
Nick <suckless-dev_AT_njw.me.uk> wrote:
> Well no. Think about sysadmins who have to allow users to run crappy
> PHP code on a shared server (so glad I'm not one of those people at
> the moment). An attacker can execute commands as a web user,
> probably far easier than brute-forcing an initial login. If they can
> then just copy a world readable /etc/passwd, they can do all the
> hash cracking offline. Which isn't possible if there's a /etc/shadow
> file that's unreadable to a web user. Unless I'm missing something,
> that's the value of the shadow system in a modern environment, when
> coupled with the problem that you can't necessarily trust that all
> users have very strong passwords. Plus your idea of what constitutes
> a 'strong' password is probably quite a few years out of date. I
> read a fun article on Ars Technica about about how brute-force
> cracking is done nowadays; it's pretty smart!
> http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
Okay, you convinced me. A shadow-file definitely makes sense in a
multi-user-system and hashes of even strong passwords aren't as safe as
I thought.
Running a dictionary-attack on the hashes directly is a smart move I
read about, but honestly didn't remember as well as I should have.
> That certainly seems to be true. After all, why get root on paypal's
> servers; the money is in any account that can access their database,
> which (probably at some levels of remove) is just an 'unprivelaged'
> web user.
Yep, that's true! In many cases comfort is the biggest vulnerability in
modern web-applications and services.
--
FRIGN <dev_AT_frign.de>
Received on Wed Jun 04 2014 - 18:36:26 CEST