Posts Tagged: security

ComputingNo Comments
3
Apr 08

Permissions for home directories

Systems administrators are usually paranoid about remote, anonymous black-hat hackers finding vulnerabilities in their security and then doing malicious acts. What is often disregarded is security against known systems users. Lack of security in this respect can be tolerated for intimate groups with some sort of trust system, but there is no excuse for this when regular users are effectively still anonymous.

I happened to come across a highly recommended and fairly expensive shared web host that missed a very obvious point for systems security: readable home directories.

With shared web hosts, upon completion of the registration process, each registrant is usually granted a systems user account with a home directory created using the tool adduser. In a number of UNIX-based distributions (eg., Debian, Ubuntu, Mac), user directories are created with the permissions 0755 by default. This means that the home directory of a user would be browseable by all the other users, and that readable contents of this would be readable by all too. That would be alarming, especially if users are not warned to keep from storing sensitive data beforehand.

I wrote a (support) ticket to the hosting company regarding this, and told them that home directory permissions should, at the very least, be 0751. But of course. I found a huge database dump of another user with whom I shared my web host, and I am sure as hell I could earn grands selling the IP addresses there, if any. The CEO of the company replied, saying that they were actually aware of the permissions but that there would be problems with Apache and other applications that the users might need if the permissions were changed. Silly excuse. I was also assured that they constantly monitored activity and warned users if they found the users were storing private data that were for everyone to see. What about the database dump I found? I suggested that they make use of user groups, and insisted that they still change the adduser configuration. Finally, he informed me that they were already finding ways to resolve the application requirement issues, and already changed the default setting for adduser.

If the default home directory permissions issue is relevant to you, you might want to take a look at /etc/adduser.conf:

# If DIR_MODE is set, directories will be created with the specified
# mode. Otherwise the default mode 0755 will be used.
DIR_MODE=0751

Changing the default permissions would not update the permissions of already existing home directories.

If you are a web host manager and want to handle the applications being run, investigate user groups.

ComputingNo Comments
2
Jun 06

libpam-mysql 0.6.1

The most recent libpam-mysql version considered to be stable in the Debian package repository is 0.5.0-6. The account management section of this module, however, is not functional. It was not until 0.6.1 that this has been fixed.

From the changelog in the project’s homepage:

Fixed account management code that wouldn’t work at all :-p (0.6.1, 0.7pre2)

I hope this saves somebody time.

Computing2 Comments
9
Feb 06

Viruses on Windows XP

My dormmates ask me from time to time about unusual things that happen with their Microsoft Windows XP systems. Because I am usually short on time, I seldom bother to search the Internet to find out what specific virus has infected a computer, and to look for specific fixes from Microsoft itself or from respectable anti-virus companies. In most cases, I just do the following, and oftentimes, the problem is fixed.

  1. Run Task Manager.
  2. Terminate the Explorer process. Explorer is the manager of the graphical interface of Windows. A large number of viruses inject instructions into this to recreate them if they are deleted, or to start the processes needed by the viruses again if the processes are terminated.
  3. Terminate suspicious and non-critical processes.
  4. Run msconfig.
  5. Make sure that Selective Startup is selected. In the Processes tab, a list of processes run upon boot up is shown. Only processes wished to be run upon boot up should be ticked.
  6. Reboot.

Some cases I’ve encountered required manual deletion of certain files after these are done. Others required uninstallation of malware. There were also a couple that required the restoration of one or two original Windows system files. Also, there are times when the Windows systems seem too corrupted that I just end up recommending reinstallation of the operating system.

Of course, I never forget to remind people to install security patches from Microsoft whenever new ones become available, and although I hated having an anti-virus software running on my Windows system before, I always tell my dormmates to install one if they don’t have any installed yet, and to update their virus definitions regularly. Preventive measures ought to help.