Re: an actual hacked machine, in a preserved state

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Thu, Jan 5, 2012 at 10:13 PM, email builder <emailbuilder88@xxxxxxxxx> wrote:
>> 1.) Attacker uses apache remote exploit (or other means) to obtain
>
>>  your /etc/shadow file (not a remote shell, just GET the file
>> without that fact being logged);
>
> I don't mean to thread-hijack, but I'm curious, if apache runs as its
> own non-root user and /etc/shadow is root-owned and 0400, then
> how could any exploit of software not running as root ever have
> access to that file??

Apache starts as root so it can open port 80.  Certain bugs might
happen before it switched to a non-privileged user.  But, a more
likely scenario would be to get the ability to run some arbitrary
command through an apache, app, or library vulnerability, and that
command would use a different kernel, library, or suid program
vulnerability to get root access.  Look back through the update
release notes and you'll find an assortment of suitable bugs that have
been there...

-- 
   Les Mikesell
    lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux