Tuesday, 25 August 2009

Make Pasword file Immutable - A Security tip

You can add a extra layer of protection to your machine, or in my case help to prevent wannabe haxx0r brothers at the parents house from changing to extremely short passwords with a little trick that not many are aware of.

What happened to me was my brother managed to shoulder surf the admin account on my parents PC, I normally update their PC by SSH from home, but I was around there visiting and mum had described a problem so I was fixing it while we chatted, my brother was lurking around and managed to shoulder read my 12 digit alpha numeric password (have to give the guy a bit of credit there, sadly)

Anyway I became aware that files on the admin account had incorrect accessed times afterwards and then looked deeper and found that someone had been in on the account and had changed my brothers password on his account from a sensible 10 digit alphanumeric (which was dead simple to bang in with two fingers as the digits were paired on the keyboard) into a rather less safe two letter password. He claimed that a friend had helped him break into my account as "you aren't the only one that knows linux", as if I ever imagined that I was some guru, I'm a self confessed learner still! As we "discussed" this further he came clean that he had simply watched me enter the password rather than "hacked" in.

Anyway lets get onto the crux of this, after setting your passwords open a terminal and enter:
chattr +i /etc/shadow

This will make the file immutable, which means that it cannot be deleted or renamed, no symlink can be made to this file and no data can be written to the file. The immutable flag must be cleared before passwords can be changed, if you try to do so without clearing it then it will appear to change the password, but in fact it would not write to the file, without error. Meaning the new password would never be written and the old password would continue being the active one.

If a fairly knowledgeable user tries to dig into why it won't write and they try:
$ ls -l /etc/shadow
-rw-r----- 1 root shadow 1027 2009-08-25 14:37 shadow

There is nothing obviously wrong with writing to the file, to check properly you would use:
$ sudo lsattr shadow
----i------------- shadow

Here we can see the +i flag set for immutable. If we clear that with:
chattr -i /etc/shadow
The password can now be changed as normal, using sudo passwd username
and then it can be set +i again to protect it.

A little bit sneaky and just a little bit safer.

No comments: