[hjlklhj]

For the "Stealing the Password File" attack what they're actually getting is a list of users, not the hashed passwords. Hashed passwords are stored in /etc/shadow in all recent (at least early 90s) systems.

This is still bad since they now will have a list of possible usernames on the system but not nearly as bad as getting access to the hashed passwords as well.

[danielweber]

It's called "the password file" for historical reasons, the same way we "dial" phone numbers.

[itsathrowaway]

The same way we "roll" down windows in our cars.

[wut42]

if they can stole /etc/passwd they probably can stole /etc/shadow, no ?

[nknighthb]

No. /etc/passwd is world-readable by necessity. /etc/shadow should only be readable by root. Your webserver should not be running as root.

[wut42]

Oh! It makes sense. :)

[peterwwillis]

Not unless they got root. /etc/passwd is world-readable, /etc/shadow is restricted to root.

edit: damnit nknighthb, beat me to the punch! I'll add that privilege escalation attacks on Linux are common place and it won't be difficult to get root once they can execute arbitrary code. Installing a rootkit/backdoor is the typical first step once you get inside a box; if you can't get root immediately you can either brute-force a root login or sit and wait for a new 0day to pop up (which is probably every quarter for Linux systems).

Of the 50 distinct kernel exploits announced this year, the following are ones which either give privilege escalation or expose memory of the kernel: CVE-2014-0038, CVE-2014-0049, CVE-2014-2523, CVE-2014-0100, CVE-2014-0131, CVE-2014-0077, CVE-2013-1860, CVE-2014-2851, CVE-2013-6383, CVE-2014-0196, CVE-2014-3153, CVE-2014-4027, CVE-2014-4014, CVE-2014-0206, CVE-2014-4699, CVE-2014-4943, CVE-2014-4652 through 4656, CVE-2014-3534, CVE-2014-0205

[nknighthb]

There's a great thing about that list. It gets cut in about half if you trim out the things that either wouldn't or shouldn't be running on most servers (e.g. x32, specific hardware drivers, ALSA(!)), which ties in nicely with the whole using-bash-as-/bin/sh thing.

The most important thing you can do for security is to decrease your attack surface, and one of the most effective ways to do that is to not run shit you don't need. Code that isn't there can't be exploited.

[drinchev]

Yeah, but they are still hashed, right? So I assume admins will use sanity-checked passwords not ones that can not be found in brute-force dictionaries.

[peterwwillis]

Yeah, no. 99% of admins do not use strong passwords. That's the reason we have brute-force dictionaries: they usually work. Besides, almost all systems still use the weak old encryption routines that can be brute-forced in a trivial amount of time with modern hardware. There's a small handful of systems which use a modern password hashing method for their secret files.

[orblivion]

So what's the point of root?