Re: inetd security hole?

Re: inetd security hole?

[Bob Heckel]

Thanks for the suggestion, Rob but I still need the Guest account to allow
anonymous NT shares (for my non-Cygwin enlightened coworkers) to certain
directories on my W2K box.  I'll just leave Guest out of /etc/passwd for
now.

The thing that worried me originally was that "dropbox" shares are common on
Windoze machines and I only discovered the hole by accident.  Unfortunately
the inetd documentation doesn't mention the issue.

Bob Heckel
p.s. Thanks also to Dave for your comments.

On Tue, 8 Aug 2000 08:23:57 +1000, Robert Collins wrote:

>  I agree that this is a NT feature.. in fact the guest account can be
>  renamed, or disabled. Bob - if you disable the guest account on your
>  machine, cygwin shouldn't be able to login you whether or not guest is
>  listed in /etc/passwd.
>  
>  Rob





_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: inetd security hole?

[Chris Faylor]

On Tue, Aug 08, 2000 at 09:15:01AM -0700, Bob Heckel wrote:
>Thanks for the suggestion, Rob but I still need the Guest account to allow
>anonymous NT shares (for my non-Cygwin enlightened coworkers) to certain
>directories on my W2K box.  I'll just leave Guest out of /etc/passwd for
>now.
>
>The thing that worried me originally was that "dropbox" shares are common on
>Windoze machines and I only discovered the hole by accident.  Unfortunately
>the inetd documentation doesn't mention the issue.

Perhaps you would like to contribute some wording for the inetd documentation
which describes the problem.

cgf

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

RE: inetd security hole?

[Bob Heckel]

Hi Corinna,

Yesterday night (Tues, Aug 8, 2000) Robert Collins
improved my original version.  You might want to
consider merging this version during your next update.
Thanks.

"Please be aware that if you have created your
/etc/passwd via mkpasswd -l then you may have a
security hole. 

If your PC has 'Guest' enabled in order to allow shares
to certain directories on your W2K or NT box, your
passwd file contains an entry for Guest that will allow
anyone to ftp, telnet, etc. to your machine simply by
using user guest and pressing enter for the password.
One solution is to disable the Guest account via User
Manager (NT) or Control Panel - Users and passwords
(W2K), the other is to delete the Guest entry in
/etc/passwd. 

This problem is a weakness in Windows, not Cygwin." 

Bob Heckel


> Thanks, I have checked that into the README with slight
> changes to mention anonymous ftp in that context. 
> 
> However, I will upload another version of inetutils
> this week since 
> I found a problem with anonymous ftp. 
> 
> Corinna





_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: inetd security hole?

[Corinna Vinschen]

Bob Heckel wrote:
> 
> I should have suggested that myself.  How does this blurb
> sound (particularly directed to anyone who has experienced
> this issue and Corinna)?
> 
> "Please be aware that if you have created your /etc/passwd
> via mkpasswd -l then you may have a security hole.
> 
> If your PC has "Guest" enabled in order to allow shares to
> certain directories on your W2K or NT box, your passwd file
> contains an entry for Guest that will allow anyone to ftp,
> telnet, etc. to your machine simply by using user guest and
> pressing enter for the password.  One solution is to
> eliminate the Guest account via Control Panel, the other is
> to delete the Guest entry in /etc/passwd.
> 
> This problem is a weakness in Windows, not Cygwin."

Thanks, I have checked that into the README with slight changes
to mention anonymous ftp in that context.

However, I will upload another version of inetutils this week since
I found a problem with anonymous ftp.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                        mailto:cygwin@sources.redhat.com
Red Hat, Inc.
mailto:vinschen@cygnus.com

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: inetd security hole?

[Chris Faylor]

On Tue, Aug 08, 2000 at 06:30:20PM -0700, Bob Heckel wrote:
>I should have suggested that myself.  How does this blurb
>sound (particularly directed to anyone who has experienced
>this issue and Corinna)?
>
>"Please be aware that if you have created your /etc/passwd
>via mkpasswd -l then you may have a security hole.
>
>If your PC has "Guest" enabled in order to allow shares to
>certain directories on your W2K or NT box, your passwd file
>contains an entry for Guest that will allow anyone to ftp,
>telnet, etc. to your machine simply by using user guest and
>pressing enter for the password.  One solution is to
>eliminate the Guest account via Control Panel, the other is
>to delete the Guest entry in /etc/passwd.
>
>This problem is a weakness in Windows, not Cygwin."

That sounds perfect to me, but I'll let Corinna be the final
judge.

Thanks!

cgf

>On Tue, Aug 08, 2000 at 12:36:02 -0400, Chris Faylor wrote:
>
>>Perhaps you would like to contribute some wording for the inetd
>>documentation
>>which describes the problem.
>
>
>
>
>
>_______________________________________________________
>Say Bye to Slow Internet!
> http://www.home.com/xinbox/signup.html
>
>
>--
>Want to unsubscribe from this list?
>Send a message to cygwin-unsubscribe@sourceware.cygnus.com

-- 
cgf@cygnus.com                        Cygnus Solutions, a Red Hat company
http://sourceware.cygnus.com/         http://www.redhat.com/

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: inetd security hole?

[Bob Heckel]

I should have suggested that myself.  How does this blurb
sound (particularly directed to anyone who has experienced
this issue and Corinna)?

"Please be aware that if you have created your /etc/passwd
via mkpasswd -l then you may have a security hole.

If your PC has "Guest" enabled in order to allow shares to
certain directories on your W2K or NT box, your passwd file
contains an entry for Guest that will allow anyone to ftp,
telnet, etc. to your machine simply by using user guest and
pressing enter for the password.  One solution is to
eliminate the Guest account via Control Panel, the other is
to delete the Guest entry in /etc/passwd.

This problem is a weakness in Windows, not Cygwin."

Bob Heckel


On Tue, Aug 08, 2000 at 12:36:02 -0400, Chris Faylor wrote:

>Perhaps you would like to contribute some wording for the inetd
>documentation
>which describes the problem.





_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: inetd security hole?

[Robert Collins]

I agree that this is a NT feature.. in fact the guest account can be
renamed, or disabled. Bob - if you disable the guest account on your
machine, cygwin shouldn't be able to login you whether or not guest is
listed in /etc/passwd.

Rob
----- Original Message -----
From: "David A. Cobb" <superbiskit@home.com>
To: <bheckel@excite.com>; <cygwin@sources.redhat.com>
Sent: Tuesday, August 08, 2000 12:10 AM
Subject: Re: inetd security hole?


> Bob Heckel wrote:
> >
> > I just set up inetd-1.3.2-5p1 as a service on my W2K box.  My
> > thanks to the Cygwin team.  Great job on this piece.  There
> > may, however, be a security hole for some people.  I was
> > able to FTP from a remote Unix box to my Cygwin W2K box
> > simply by using user guest and password (enter).  Had to
> > delete the Guest entry from /etc/passwd to close the hole.
> >
> > I may not be configured properly and your system may be
> > different but I wanted to make sure no one is accidently
> > exposed to trouble.  I checked the mailing list search
> > engine prior to posting this and didn't see any warnings regarding this
> > issue.
> >
> > Bob Heckel
> >
>
> This sounds like part of the NT heritage.  On an NT system the user
> name "guest" (null password) is normally enabled - might even be
> immutable.  Guest, however, should have minimum or no access.
> Making that a true statement is an administrator's job.
>
> --
> David A. Cobb, Software Engineer, Public Access Advocate
> "Don't buy or use crappy software"
> "By the grace of God I am a Christian man,
>  by my actions a great sinner" -- The Way of a Pilgrim [R. M.
> French, tr.]
>
> --
> Want to unsubscribe from this list?
> Send a message to cygwin-unsubscribe@sourceware.cygnus.com
>
>


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: inetd security hole?

[David A. Cobb]

Bob Heckel wrote:
> 
> I just set up inetd-1.3.2-5p1 as a service on my W2K box.  My
> thanks to the Cygwin team.  Great job on this piece.  There
> may, however, be a security hole for some people.  I was
> able to FTP from a remote Unix box to my Cygwin W2K box
> simply by using user guest and password (enter).  Had to
> delete the Guest entry from /etc/passwd to close the hole.
> 
> I may not be configured properly and your system may be
> different but I wanted to make sure no one is accidently
> exposed to trouble.  I checked the mailing list search
> engine prior to posting this and didn't see any warnings regarding this
> issue.
> 
> Bob Heckel
> 

This sounds like part of the NT heritage.  On an NT system the user
name "guest" (null password) is normally enabled - might even be
immutable.  Guest, however, should have minimum or no access. 
Making that a true statement is an administrator's job.  

-- 
David A. Cobb, Software Engineer, Public Access Advocate
"Don't buy or use crappy software"
"By the grace of God I am a Christian man, 
 by my actions a great sinner" -- The Way of a Pilgrim [R. M.
French, tr.]

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

inetd security hole?

[Bob Heckel]

I just set up inetd-1.3.2-5p1 as a service on my W2K box.  My
thanks to the Cygwin team.  Great job on this piece.  There
may, however, be a security hole for some people.  I was
able to FTP from a remote Unix box to my Cygwin W2K box
simply by using user guest and password (enter).  Had to
delete the Guest entry from /etc/passwd to close the hole.

I may not be configured properly and your system may be
different but I wanted to make sure no one is accidently
exposed to trouble.  I checked the mailing list search
engine prior to posting this and didn't see any warnings regarding this
issue.

Bob Heckel





_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com