何謂『資安問題』呢?這樣模糊隴統問法,無法回答也。比方說 Unix 裡有個『無名氏』使用者︰
nobody (username)
In many Unix variants, “nobody” is the conventional name of a user account which owns no files, is in no privileged groups, and has no abilities except those which every other user has. Some systems also define an equivalent group “nogroup“.
Uses
- The pseudo-user “nobody” and group “nogroup” are used, for example, in the NFSv4 implementation of Linux by idmapd, if a user or group name in an incoming packet does not match any known username on the system.
- It was once common to run daemons as nobody, especially servers, in order to limit the damage that could be done by a malicious user who gained control of them. However, the usefulness of this technique is reduced if more than one daemon is run like this, because then gaining control of one daemon would provide control of them all. The reason is that processes owned by the same user have the ability to send signals to each other and use debugging facilities to read or even modify each other’s memory. Modern practice, as recommended by the Linux Standard Base, is to provide better security isolation by creating a separate user account for each daemon.[1]
難到可講因他的『妥協』 Compromise ?導致了『信息外洩』嘛!
常常複雜系統『設計』之『目的』與『應用』的『結果』差異頗大的呦!?
舉例而言,系統『管理者』正面看待『密碼檔』之變革︰
passwd
passwd is a tool on most Unix and Unix-like operating systems used to change a user’s password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.
When the user logs on, the password entered by the user during the log on process is run through the same key derivation function and the resulting hashed version is compared with the saved version. If the hashes are identical, the entered password is considered to be correct, and the user is authenticated. In theory, it is possible for two different passwords to produce the same hash. However, cryptographic hash functions are designed in such a way that finding any password that produces the same hash is very difficult and practically infeasible, so if the produced hash matches the stored one, the user can be authenticated.
The passwd command may be used to change passwords for local accounts, and on most systems, can also be used to change passwords managed in a distributed authentication mechanism such as NIS, Kerberos, or LDAP.
Password file
The /etc/passwd file is a text-based database of information about users that may loginto the system or other operating system user identities that own running processes.
In many operating systems this file is just one of many possible back-ends for the more general passwd name service.
The file’s name originates from one of its initial functions as it contained the data used to verify passwords of user accounts. However, on modern Unix systems the security-sensitive password information is instead often stored in a different file using shadow passwords, or other database implementations.
The /etc/passwd file typically has file system permissions that allow it to be readable by all users of the system (world-readable), although it may only be modified by the superuser or by using a few special purpose privileged commands.
The /etc/passwd file is a text file with one record per line, each describing a user account. Each record consists of seven fields separated by colons. The ordering of the records within the file is generally unimportant.
An example record may be:
jsmith:x:1001:1000:Joe Smith,Room 1007,(234)555-8910,(234)555-0044,email:/home/jsmith:/bin/sh
The fields, in order from left to right, are:[1]
- User name: the string a user would type in when logging into the operating system: the logname. Must be unique across users listed in the file.
- Information used to validate a user’s password; in most modern uses, this field is usually set to “x” (or “*”, or some other indicator) with the actual password information being stored in a separate shadow password file. On Linux systems, setting this field to an asterisk (“*”) is a common way to disable direct logins to an account while still preserving its name, while another possible value is “*NP*” which indicates to use an NIS server to obtain the password.[2] Without password shadowing in effect, this field would typically contain a cryptographic hash of the user’s password (in combination with a salt).
- user identifier number, used by the operating system for internal purposes. It need not be unique.
- group identifier number, which identifies the primary group of the user; all files that are created by this user may initially be accessible to this group.
- Gecos field, commentary that describes the person or account. Typically, this is a set of comma-separated values including the user’s full name and contact details.
- Path to the user’s home directory.
- Program that is started every time the user logs into the system. For an interactive user, this is usually one of the system’s command line interpreters (shells).
Shadow file
/etc/shadow is used to increase the security level of passwords by restricting all but highly privileged users’ access to hashed password data. Typically, that data is kept in files owned by and accessible only by the super user.
Systems administrators can reduce the likelihood of brute-force attacks by making the list of hashed passwords unreadable by unprivileged users. The obvious way to do this is to make the passwd database itself readable only by the root user. However, this would restrict access to other data in the file such as username-to-userid mappings, which would break many existing utilities and provisions. One solution is a “shadow” password file to hold the password hashes separate from the other data in the world-readable passwdfile. For local files, this is usually /etc/shadow on Linux and Unix systems, or /etc/master.passwd on BSD systems; each is readable only by root. (Root access to the data is considered acceptable since on systems with the traditional “all-powerful root” security model, the root user would be able to obtain the information in other ways in any case). Virtually all recent Unix-like operating systems use shadowed passwords.
The shadow password file does not entirely solve the problem of attacker access to hashed passwords, as some network authentication schemes operate by transmitting the hashed password over the network (sometimes in cleartext, e.g., Telnet[3]), making it vulnerable to interception. Copies of system data, such as system backups written to tape or optical media, can also become a means for illicitly obtaining hashed passwords. In addition, the functions used by legitimate password-checking programs need to be written in such a way that malicious programs cannot make large numbers of authentication checks at high rates of speed.
Regardless of whether password shadowing is in effect on a given system, the passwd file is readable by all users so that various system utilities (e.g., ls) can work (e.g., to ensure that user names are shown when the user lists the contents of a folder), while only the root user can write to it. Without password shadowing, this means that an attacker with unprivileged access to the system can obtain the hashed form of every user’s password. Those values can be used to mount a brute force attack offline, testing possible passwords against the hashed passwords relatively quickly without alerting system security arrangements designed to detect an abnormal number of failed login attempts. Especially when the hash is not salted it is also possible to look up these hashed passwords in rainbow tables, databases specially made for giving back a password for a unique hash.
With a shadowed password scheme in use, the /etc/passwd file typically shows a character such as ‘*‘, or ‘x‘ in the password field for each user instead of the hashed password, and /etc/shadow usually contains the following user information:
- User login name
- salt and hashed password OR a status exception value e.g.:
- “$id$salt$hashed”, the printable form of a password hash as produced by crypt (C), where “$id” is the algorithm used. On GNU/Linux, “$
1$” stands for MD5, “$2a$” is Blowfish, “$2y$” is Blowfish (correct handling of 8-bit chars), “$5$” is SHA-256 and “$6$” is SHA-512,[4] other Unix may have different values, like NetBSD. Key stretching is used to increase password cracking difficulty, using by default 1000 rounds of modified MD5,[5] 64 rounds of Blowfish, 5000 rounds of SHA-256 or SHA-512.[6] The number of rounds may be varied for Blowfish, or for SHA-256 and SHA-512 by using e.g. “$6$rounds=50000$”. - Empty string – No password, the account has no password (reported by passwd on Solaris with “NP”).[7]
- “!” – the account is password locked, user will be unable to log in via password authentication but other methods (e.g. ssh key) may be still allowed.[8]
- “*LK*” or “*” – the account is locked, user will be unable to log in via password authentication but other methods (e.g. ssh key) may be still allowed.[8]
- “!!” – the password has never been set (RedHat)[9]
- “$id$salt$hashed”, the printable form of a password hash as produced by crypt (C), where “$id” is the algorithm used. On GNU/Linux, “$
- Days since epoch of last password change
- Days until change allowed
- Days before change required
- Days warning for expiration
- Days before account inactive
- Days since epoch when account expires
- Reserved
The format of the shadow file is simple, and basically identical to that of the password file, to wit, one line per user, ordered fields on each line, and fields separated by colons. Many systems require the order of user lines in the shadow file be identical to the order of the corresponding users in the password file.
甚至知其『必要性』勒?!
2. Why shadow your passwd file?
By default, most current Linux distributions do not contain the Shadow Suite installed. This includes Slackware 2.3, Slackware 3.0, and other popular distributions. One of the reasons for this is that the copyright notices in the original Shadow Suite were not clear on redistribution if a fee was charged. Linux uses a GNU Copyright (sometimes refereed to as a Copyleft) that allows people to package it into a convenient package (like a CD-ROM distribution) and charge a fee for it.
The current maintainer of the Shadow Suite, Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> received the source code from the original author under a BSD style copyright that allowed redistribution. Now that the copyright issues are resolved, it is expected that future distributions will contain password shadowing by default. Until then, you will need to install it yourself.
If you installed your distribution from a CD-ROM, you may find that, even though the distribution did not have the Shadow Suite installed, some of the files you need to install the Shadow Suite may be on the CD-ROM.
However, Shadow Suite versions 3.3.1, 3.3.1-2, and shadow-mk all have security problems with their login program and several other suid root programs that came with them, and should no longer be used.
All of the necessary files may be obtained via anonymous FTP or through the World Wide Web.
On a Linux system without the Shadow Suite installed, user information including passwords is stored in the /etc/passwd file. The password is stored in an encrypted format. If you ask a cryptography expert, however, he or she will tell you that the password is actually in an encoded rather than encrypted format because when using crypt(3), the text is set to null and the password is the key. Therefore, from here on, I will use the term encoded in this document.
The algorithm used to encode the password field is technically referred to as a one way hash function. This is an algorithm that is easy to compute in one direction, but very difficult to calculate in the reverse direction. More about the actual algorithm used can be found in section 2.4 or your crypt(3) manual page.
When a user picks or is assigned a password, it is encoded with a randomly generated value called the salt. This means that any particular password could be stored in 4096 different ways. The salt value is then stored with the encoded password.
When a user logs in and supplies a password, the salt is first retrieved from the stored encoded password. Then the supplied password is encoded with the salt value, and then compared with the encoded password. If there is a match, then the user is authenticated.
It is computationally difficult (but not impossible) to take a randomly encoded password and recover the original password. However, on any system with more than just a few users, at least some of the passwords will be common words (or simple variations of common words).
System crackers know all this, and will simply encrypt a dictionary of words and common passwords using all possible 4096 salt values. Then they will compare the encoded passwords in your /etc/passwd file with their database. Once they have found a match, they have the password for another account. This is referred to as a dictionary attack, and is one of the most common methods for gaining or expanding unauthorized access to a system.
If you think about it, an 8 character password encodes to 4096 * 13 character strings. So a dictionary of say 400,000 common words, names, passwords, and simple variations would easily fit on a 4GB hard drive. The attacker need only sort them, and then check for matches. Since a 4GB hard drive can be had for under ![1000.00, this is well within the means of most system crackers.</span> <span style="color: #008080;">Also, if a cracker obtains your <code>/etc/passwd</code> file first, they only need to encode the dictionary with the <code>salt</code> values actually contained in your <code>/etc/passwd</code> file. This method is usable by your average teenager with a couple of hundred spare Megabytes and a 486 class computer.</span> <span style="color: #008080;">Even without lots of drive space, utilities like crack(1) can usually break at least a couple of passwords on a system with enough users (assuming the users of the system are allowed to pick their own passwords).</span> <span style="color: #008080;">The <code>/etc/passwd</code> file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the <code>/etc/passwd</code> file <em>must</em> remain world readable. If you were to change the <code>/etc/passwd</code> file so that nobody can read it, the first thing that you would notice is that the <code>ls -l</code> command now displays user ID's instead of names!</span> <span style="color: #808000;">The <em>Shadow Suite</em> solves the problem by relocating the passwords to another file (usually <code>/etc/shadow</code>). The <code>/etc/shadow</code> file is set so that it cannot be read by just anyone. Only <em>root</em> will be able to read and write to the <code>/etc/shadow</code> file. Some programs (like xlock) don't need to be able to change passwords, they only need to be able to verify them. These programs can either be run <em>suid root</em> or you can set up a group <em>shadow</em> that is allowed read only access to the <code>/etc/shadow</code> file. Then the program can be run <em>sgid shadow</em>.</span> <span style="color: #808000;">By moving the passwords to the <code>/etc/shadow</code> file, we are effectively keeping the attacker from having access to the encoded passwords with which to perform a <em>dictionary attack</em>.</span> <span style="color: #808000;">Additionally, the <em>Shadow Suite</em> adds lots of other nice features:</span> <ul> <li><span style="color: #808000;">A configuration file to set login defaults (<code>/etc/login.defs</code>)</span></li> <li><span style="color: #808000;">Utilities for adding, modifying, and deleting user accounts and groups</span></li> <li><span style="color: #808000;">Password aging and expiration</span></li> <li><span style="color: #808000;">Account expiration and locking</span></li> <li><span style="color: #808000;">Shadowed group passwords (optional)</span></li> <li><span style="color: #808000;">Double length passwords (16 character passwords) NOT RECOMMENDED]</span></li> <li><span style="color: #808000;">Better control over user's password selection</span></li> <li><span style="color: #808000;">Dial-up passwords</span></li> <li><span style="color: #808000;">Secondary authentication programs [NOT RECOMMENDED]</span></li> </ul> <span style="color: #808000;">Installing the <em>Shadow Suite</em> contributes toward a more secure system, but there are many other things that can also be done to improve the security of a Linux system, and there will eventually be a series of Linux Security HOWTO's that will discuss other security measures and related issues.</span> <span style="color: #808000;">For current information on other Linux security issues, including warnings on known vulnerabilities see the <a style="color: #808000;" href="http://bach.cis.temple.edu/linux/linux-security/">Linux Security home page.</a></span> <h2><a name="ss2.1"></a><span style="color: #339966;">2.1 Why you might NOT want to shadow your passwd file.</span></h2> <span style="color: #339966;">There are a few circumstances and configurations in which installing the <em>Shadow Suite</em> would <em>NOT</em> be a good idea:</span> <ul> <li><span style="color: #339966;">The machine does not contain user accounts.</span></li> <li><span style="color: #339966;">Your machine is running on a LAN and is using NIS (Network Information Services) to get or supply user names and passwords to other machines on the network. (This can actually be done, but is beyond the scope of this document, and really won't increase security much anyway)</span></li> <li><span style="color: #339966;">Your machine is being used by terminal servers to verify users via NFS (Network File System), NIS, or some other method.</span></li> <li><span style="color: #339966;">Your machine runs other software that validates users, and there is no shadow version available, and you don't have the source code.</span></li> </ul> <span style="color: #666699;">不過『劊客』逆向思維︰</span> <h2><a name="ss3.3"></a><span style="color: #008080;"><a style="color: #008080;" href="https://www.tldp.org/HOWTO/Shadow-Password-HOWTO-3.html">3.3 What is included with the Shadow Suite.</a></span></h2> <span style="color: #008080;">The <em>Shadow Suite</em> contains replacement programs for:</span> <span style="color: #008080;"><code>su, login, passwd, newgrp, chfn, chsh, and id</code></span> <span style="color: #008080;">The package also contains the new programs:</span> <span style="color: #008080;"><code>chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod, groupadd, groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv, and pwunconv</code></span> <span style="color: #008080;">Additionally, the library: <code>libshadow.a</code> is included for writing and/or compiling programs that need to access user passwords.</span> <span style="color: #008080;">Also, manual pages for the programs are also included.</span> <span style="color: #008080;">There is also a configuration file for the login program which will be installed as <code>/etc/login.defs</code>.</span> <pre class="lang:default decode:true">PWCONV(8) System Management Commands PWCONV(8) NAME pwconv, pwunconv, grpconv, grpunconv - convert to and from shadow passwords and groups SYNOPSIS pwconv [options] pwunconv [options] grpconv [options] grpunconv [options] DESCRIPTION The pwconv command creates shadow from passwd and an optionally existing shadow. The pwunconv command creates passwd from passwd and shadow and then removes shadow. The grpconv command creates gshadow from group and an optionally </pre> <span style="color: #808080;">more /etc/<span style="color: #ff9900;">passwd</span></span> <pre class="lang:default decode:true ">root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologi n nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/ sbin/nologin systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nol ...</pre> <span style="color: #808080;">more /etc/<span style="color: #ff9900;">shadow</span></span> <pre class="lang:default decode:true ">root:](http://www.freesandal.org/wp-content/ql-cache/quicklatex.com-f906b221839f66d11a959ea845daf3ba_l3.png "Rendered by QuickLaTeX.com")
6
W37U8bi4X4TBfCBbpl0Xg3igJmJpZaRLjkmEceZudlf6OJ/.BVglCb1Z8VUFpXT
.mpw6FUUyqP6qZZmx9VqMh.:17577:0:99999:7:::
daemon:*:17577:0:99999:7:::
bin:*:17577:0:99999:7:::
sys:*:17577:0:99999:7:::
sync:*:17577:0:99999:7:::
games:*:17577:0:99999:7:::
man:*:17577:0:99999:7:::
lp:*:17577:0:99999:7:::
mail:*:17577:0:99999:7:::
news:*:17577:0:99999:7:::
uucp:*:17577:0:99999:7:::
proxy:*:17577:0:99999:7:::
www-data:*:17577:0:99999:7:::
backup:*:17577:0:99999:7:::
list:*:17577:0:99999:7:::
irc:*:17577:0:99999:7:::
gnats:*:17577:0:99999:7:::
nobody:*:17577:0:99999:7:::
_apt:*:17577:0:99999:7:::
systemd-network:*:17577:0:99999:7:::
systemd-resolve:*:17577:0:99999:7:::
usbmux:*:17577:0:99999:7:::
…
挖掘『工具』的用法,企求『可能性』之術︰
root@kali:~# mkpasswd -m sha-512 toor zWfdesqLzWfdesqL
1
6
' % salt) >>> print (hashed)
不難曉,為什麼想要『那些檔案』的吧★