I just delete this insane /etc/services file and I swear it doesn't have any affect. But some /etc files I delete I'm staring at a zero-fill reinstall.
Is this supposed to be this ridiculous / in the /etc folder?
SSH Security and You - /bin/false is *not* security
Posted Wed, 28 Dec 2005
Backstory
While at RIT around 2004 or 2005, I discovered that a few important machines at the datacenter allowed all students, faculty, and staff to authenticate against them via ssh. Everyone's shells appear to be set to /bin/false (or some derivative) on said machines, so the only thing you'll see after you authenticate is the login banner and your connection will close. I thought to myself, "Fine, no shell for me. I wonder if port forwarding works?"
Seems reasonable, right? Whatever sysadmin was tasked with securing these machines forgot something very important about ssh2: channels. I use them often for doing agent, x11, or port forwarding. You probably use them too, right? So what happens if we try to port forward without requesting a shell (ssh -N)? You might not have guessed that it allows you to do the requested port forward and keeps the connection alive. SSH stays connected because it never executes the shell, so it never gets told to die. Whoops!
ITS (RIT's "we make the network go" department) uses ssh.com's sshd on all (afaik) of their servers. I looked at the sshd_config manual for ssh.com's sshd. It clearly defines an option exactly the same as OpenSSH's sshd: AllowGroups. This allows you to restrict ssh-authenticatable users by group. What does that mean? It means you can put all the users who need to ssh to your machines into a single group and prevent unauthorized users from authenticating (getting a shell, port forwarding, etc). So what any intelligent sysadmin would do in this situation is use the AllowGroups option and fix this fairly major security issue.
RIT's ITS has fixed the issue on their own machines. Have you?
In summary: If you don't want me to have access to your machines, then don't allow me access to your machines. /bin/false is not security.
What is /bin/false?
Many times you will have a system where you need a user to exist in the account database (say, /etc/passwd) but don't want to give them shell access to your machine(s). A common solution to this is to set a user's shell to /bin/false. This has the effect of rejecting shell login attempts over ssh, telnet, or other shell-requesting protocols.
Simply using /bin/false as someone's shell does not keep them from using said account to authenticate over ssh and using non-shell tools such as port forwarding. A default configuration in sshd will often allow tunneling and other non-shell activity.
Hole #1: Potential Firewall Bypass So, to make things more interesting, there are two obvious holes I can exploit here. The first, is firewall-bypass. ITS employs lots of ACLs limiting access to machines by IP ranges. This is a normal practice in the world. However, what if the machine I am port forwarding through is one of these trusted machines? You just gave me access to your supposedly locked-down network. Don't do that.
Hole #2: Anonymous traffic I can make my traffic far more anonymous by using ssh's port-forward or SOCKS proxy feature. OpenSSH does not appear to log port-forward-only sessions, so chances are you can get away with using this half-secured server as a proxy.
Hole #3: Resource Starvation
The third one is less obvious, but quite easy. You setup a remote port forward (ssh -R) pointed at "itself" (the machine you're logging into) and then a local port forward (ssh -L) to the machine so you can just touch it with telnet and walk away. This creates a large problem on the end machine becuase you will eventually take up all the available file descriptors, and since unix lives on file descriptors, you just DoS'd the machine. So if some naughty person manages to guess a password of one of your 30000 users, he/she can happily perform resource starvation attacks 'till the end of the day despite your wishes that I stay off your machine. Like I said, /bin/false is not security.
Interesting, I never really considered the implications of ssh + /bin/false.
Creepy users are generally a product of the concept of 'daemons', eg system-level workings that do not require root (so they do not get it). The numbers are basically arbitrary up until a particular group or user id is granted read/write access to otherwise privileged areas of the file system or memory. Those users exist for specific purposes relating to sundry functionality under the hood.
To my knowledge, none have passwords however, and without a password one cannot log in to them without first being root basically.
If you dump the password database and discover that some *do* have passwords, then things might get interesting, because it would not be unreasonable to assume that the password is static across multiple systems... Unlikely tho.
To my knowledge, none have passwords however, and without a password one cannot log in to them without first being root basically.
But they could get a /bin/false deny right?
Quote:
If you dump the password database and discover that some *do* have passwords, then things might get interesting, because it would not be unreasonable to assume that the password is static across multiple systems... Unlikely tho.
Dump is slang for viewing it... It should just be a human readable file. Unless your version of unix is that different.
You'll see hashed passwords for accounts like root and your personal account. The other accounts should not have the hashes.
Back 20+ years ago, I was able to get on the internet in high school... (before the web) because they didn't have shadow passwords and the passwords were exceptionally weak. A FOAF had a job at the University of Texas and thus got a copy of the password file. Run a cracker on it and there ya go.. a dot matrix print out of cracked passwords. I wish I'd taken advantage of the internet ... was soooo easy to make money.. but nah, I figured I'd always be able to find a way to make easy money... wrong
There would be no disclosure; any attempt at ssh'ing in would simply prompt them for a password then tell them password incorrect. Doesnt matter what shell the account has, none of that is even looked at by sshd until a password validation takes place. The results would be the same if the account did not exist. There are no 'blank' passwords generally, there are null passwords which mean no salted password can yield a positive authentication result.
I used to know how to dump the /etc/master.password file... let me ruminate a few.
My guess is that Apple licensed certain libraries from Adobe for their own image processing applications.
Apple and Adobe have an extremely symbiotic relationship going way back. This would not surprise me at all.
You didn't find the script archiving all the logs, then deleting them all, before fixing up all the permissions to present me with a new OS (sans any installer logs, funnily enough) a little suspicious?
Quote:
Originally Posted by sonatine
Chances are the only user allowed to access the lookupd data is delegated read-only access to certain areas of it.
Tricky little cunts.
Yes, as root every kerberos-related function is pretty much read-only for root. The functions or the connections, the nodes on my machine are read-only for chrissake. When I got tilted at Apple Thai guys for lying to me about the Server processes, I posted about it on Apple Community Forum.
Quote:
Date: Sun, 20 Nov 2011 06:06:06 -0800 (PST)
Message-id: <1662702565.1321797966375.JavaMail.snrmailp@lasham .corp.apple.com>
From: communityhosts@apple.com
To: jonny.vincent@gmail.com
Subject: Apple Support Communities - Post Removed by Host
Dear John (goscuter1),
Apple removed your post titled "OS Lion client forced as a server > hidden OpenDirectory / Samba nodes. criminals." because it contained the following:
Discussion of Apple Policies, Procedures or Decisions
That's not allowed.
But then, if you read their Terms (and I did), you'd see a Term right at the end that will make you laugh.
It should, it's the term that just slapped you in the face by making every other term redundant. If they'd placed it first, the T&C need only be a couple lines long. Apple reserves the right to do anything they want for any reason.
If you don't like the Terms, don't post.
Quote:
Originally Posted by nextlevelshit
And all it is doing is running chmod on an existing directly making it writeable to everyone.
Is that...all(?)...it's doing? Don't you want those log files?
Quote:
Scooter, the reason you have all those users is to partition the processes from each other. It is a way to sandbox them.
What did the tech expert from MIT say...that line he used, a few times...oh yeah. BIN/FALSE is NOT secure. He outlined why in fairly easy-to-appreciate terms. I don't need those users sandboxed. I need most of them like I need a good anal-fisting but that is neither here nor there.
What is here and there, is that - how do I phrase this...?
IT'S NOT WORKING.
Yeah that pretty much covers it.
Quote:
The other alternative would be to let them share one user-id and that means all these programs would be able to run roughshod over the files of other processes.
Oh I'm sure there are solutions. But if I have to find them myself, I'd just as soon...not bother. When a guy explains in 2005 why /bin/false isn't secure but Apple just says "meh" in 2012, I think it's safe to say it's for Apple's imagined 'advantage' / 'purpose' / 'use'. Or perhaps they're being dictated to. Every 'power' believed to be powerful usually is.
Quote:
If you want to be paranoid though, look and make sure they don't have shells/passwords associated with them like sonatine suggested.
Paranoid rofl. You think I'm interested in this? No I used computers for a decade where I learned how to use Microsoft Excel, Word, Gmail and...albeit very painfully...learned how to paste pictures and links inside posts on forums. That's pretty much it. You think I'm into computers?
Hah. This is for fun that we're talking buffer overflows and memory exploits and unpatched holes in the most patchy OSs in the universe and/or imaginable (why, you could even imagine this was intentionally so, if you were 'paranoid').
But no. As much interest as I have in this futility, I am motivated by _not_ continuing to buy brand new systems that crash within a day or a week or even - ROFL - before an OS has ever come near the machine. BIOS ERROR. CHECKSUM ERROR. BIOS CORRUPT.
Paranoid rofl. You think I'm interested in this? No I used computers for a decade where I learned how to use Microsoft Excel, Word, Gmail and...albeit very painfully...learned how to paste pictures and links inside posts on forums. That's pretty much it. You think I'm into computers?
Hah. This is for fun that we're talking buffer overflows and memory exploits and unpatched holes in the most patchy OSs in the universe and/or imaginable (why, you could even imagine this was intentionally so, if you were 'paranoid').
But no. As much interest as I have in this futility, I am motivated by _not_ continuing to buy brand new systems that crash within a day or a week or even - ROFL - before an OS has ever come near the machine. BIOS ERROR. CHECKSUM ERROR. BIOS CORRUPT.
"INTEL, what gives?"
"Just delete the logs."
You understand?
I did.
Well I rarely have PCs that crash or are not usable when new. Why do you think reading obscure log files is going to prevent your machiens from crashing in the future ? Or that you'd be able to fix things ? I remember that crazy story you wrote about teh guys trying to get your keyboard.
You are 2 things. #1) On the far edge of the computer luck curve and are just running super bad with your purchases. or #2) You're paranoid/insane.
Ok, a third is plausible. #3) You are deep deep into some shit of national security type importance and people are genuinely out to get you... but if so wouldn't they just kill you ? Not sure how a poker player self-proclaimed computer noob would come to this.
I guess there is #4 and that is you use your computer like a monkey and somehow manage to fuck it up by poking around all over the place and breaking things.
I find it fascinating that you pick apart these logs and post them from all over the place. I don't know if this is some sort of weird reality fiction you are trying to create or if you want sincere help. I'm motivated by boredom, not to show off my skills. Sonatine is far better at most of this stuff, but that doesn't prevent me from feeling compelled to discuss it. My advice may be wrong in some places, but when it is, it will be wrong as in unworkable.
I reread this. He says /bin/false is not security only in the context of networks using some sort of ip based authentication. He doesn't suggest it would actually lead to compromising the machine it is on. So /bin/false is security contrary to what he says until he gives a reason why not... unless you have multiple machines relying on IP based security ... AND someone has a password on the machine with the /bin/false shells.
Scooter, what variables do yout hinka re different that cause you to seemingly get fucked up the ass by every computing device you've bought in the past year or whatever ?
It sucks because my desktop is the right intel processor supposedly to work with this bootleg hackintosh shit.. but the hacked macos images are ALWAYS corrupted.. I can't afford to buy a 2nd intel machine hoping it'd work.. might as well jsut buy an old mac..
As someone who has attempted to load a Hackintosh image on something like 100 locations on half a dozen unique INTEL machines, my personal suspicions are that the various Hackintosh groups - for all their rhetoric about legality - are way more 'legal' than they'd be happy with you believing. I think they're connected to Apple.
And I think their images are all incredibly dubious but I forget the extensive logical reasons I had to be suspicious to the point of near-certainty. Oh that's right I remember one of the reasons.
They feign retardation when you ask why, if the images are so modded, did they need to take the insane "Company Line" with Lion and language packs (now 'fixed' in ML, but then it's no longer 'necessary' now is it?)
They just ignore the question and / or deleted all of my threads I started asking about this seemingly benign (but then only if they had an answer) issue.
The reason is because they're Apple's bitches.
The reason for the language packs is because Apple is Power's bitch.
Why would Power have a reason to want Apple and Microsoft (look in your Win7 MSR or EFI partitions for the language packs) to cater to the exploitation of imbecilic nationalistic slaves? Honestly I wasn't sure, I just didn't like the fact they were imposing the language packs on me in an insane way (I removed Polish.pkg and everything worked fine until it came time to pick a language and I was told important system files prevented the installation. if they're in Polish, I know what that means. Corruption is what is being mistaken for the smell of fish in Copenhagen).
nb. The Danish all speak English by the way. If they don't speak it to you um...ah...just believe I'm lying. *snicker*
Whatever helps you sleep at night.
I didn't know the deal with the language packs but I knew something was up when I asked and my threads would get deleted. I imagined conspiracies that were so much more and and so much less horrifying than the obvious reality. I never got answers, I have to figure everything out for myself in this world of shrewd "no comment" imbeciles.
I figured it out when I saw Catalan had been added. I laughed so hard. If you don't understand how that's the clue to everything, Google and fucking learn for a god damn change. Read three paragraphs on Catalan and if you still cannot 'get' it, just kill yourself. Or don't, what do I care.
I figured it out. The language packs are the same motive that made Power want the Bible translated into 3400 languages after spending literally millenniums trying frantically to ensure people could not read.
The Bible wasn't written for public consumption. It was written by brilliant and creepy Egyptian priests and their descendants, for their descendants to use as a manual / weapon to wield Total Power over humans by turning them into emotional slaves. Then everyone had to go learn how to read. GG world.
Imagining they were literate when they were too emotionally insane to understand that what was written for imbecilic Egyptian priests by their emotionally degraded fathers, was not their tool to exploit. They weren't the marks until they shocked Power into laughing their corrupted faces silly at their own shrewd failure to understand that what they believed were Secrets to exploit were really just exploiting themselves.
Power is fucking stupid. I'm literally so much brighter but then Power doesn't listen to me. That's a pity for Power because if Power could do logic, they would understand they would get destroyed by my logic. They'd likely just kill me for embarrassing them, or be too shrewd to get 'beaten' by me. They're demented. They don't understand I have no beef with them. They think everything is about winning and losing. So they make everyone lose.
Everything is about winning and losing which is why I want everyone to win. So I can be who I am capable of being in ways I cannot imagine and you're in an identical spot. You just cannot realise it. You think you're the bomb diggity but then do you _really_ believe that? I don't buy it.
When I was asserting my worth to those I didn't believe would be convinced by what wasn't convincing me, it was when I had been reduced to near worthlessness. Not by those who made me feel the way I felt. They were merely trying to make me feel bad. I felt worthless because in no longer valuing my own worth, I valued the opinions of those who will make you feel worthless when you have value. And make you feel valued when you're worthless. If you cannot understand why, I have a car to sell you. Which way are you going to go on asserted valuation? Up or down? Imbeciles.
I'm including myself with that label.
Egyptian priests who imagined they were being impossibly wise passing on such 'wisdom' to their sons (how to exploit women and children and men by tricking the men into exploiting women, tricking the women into exploiting men, tricking everybody into feeling the way they've been ORDERED NOT TO FEEL - DON'T COVET OKAY!? Why? No reason. But children can figure out it's because the JEALOUS LORD feels that way. You understand?), were shown the Truth that could have set them free but they lost their insane minds instead and started taking advantage of what they didn't realise.
They were shown the Truth. They didn't realise it because they were too busy cackling at how their corruptive secrets exploited everyone into thinking they could use the Secrets to exploit and only exploited themselves. Ah...what does logic tell you about the value of the Secrets you've been trying to hide from the world when the world discovers them and face-plants?
No one can do logic in this world except for me and like a tiny handful of gods who are not remotely in my reduced league but then that's because I do not share their optimism in valuing....well, the valueless.
I hope I'm wrong. But when I believe I'm wrong, is when I will attempt to reach the value of le Carre and others who have faith in you that I do not share.
Something so hilarious happened with the Bible, I literally know you're all too fucked up to be salvageable. As confused and corrupted as the Egyptian descendants of insane priests who knew Secrets but they'll never tell yooouuuu....until they told everyone, accidentally; the inhumane humans who read the Bible they weren't supposed to read gave a shock that should have shaken Power sane but didn't.
Their victims fucked up the processing of the corruptive Secrets. Just like Power fucked up the processing of their Secrets they handed down to their beloved sons, with painstaking love and care and certainty that they were geniuses because they made everyone stupid...look, it just makes sense, if you're insane. Inhumane humans fucked up the processing.
The world shrieked with Toddler glee. Such power. It's instantly recognisable. Such ability to control and corrupt. And they shall know the Truth and the Truth shall set them free. This is truth but then if you imagine the Truth to be the secrets that enslaved you, you're not going to be free. You're going to become the shrewd slaves who enslaved everyone imagining that their misery and sociopathic hatred of humans was the reason they wanted to exploit.
It wasn't. Well it was. But they missed the part where they were exploited by loving fathers who Knew Best for their sons. They got it right and missed Stage 1. They forgot they were corrupted first. That screwed up everything.
In the end, they got everything around back to front. Their parents made them want to hate and exploit. It's called emotional degradation. Their believing their fathers were onto something is the reason they hated the robots they had created out of humans by corrupting the biological link between mother and child. So shrewd. So diabolically brilliant. I literally would never have imagined such insanely brilliant insanity.
Neither would an uncorrupted child.
That's why they give it to children to read. But then everyone can read?
Whoops. Here we are. Billions of sociopaths as stupid as the Egyptian priests who imagined their Secrets made them superior. They made them Powerful. If you think that Power = Happiness, you tell me something that Power has never actually tried to assert. If anything they give you the Truth with their misery that you cannot see. If you think that Power makes you happy, you'd be like the heroin junkie that asserts that heroin makes them a better person. Ahh. They're insane or they've never taken heroin. Heroin junkies are junkies in every sense of the world. Humane. Miserable. Not in denial about their powerless victimisation and dependency. They're humane in ways that made me hate myself for shrewdly testing them by leaving things out to 'tempt' them. I watched their agony and they made me despise the person I had become. They were noble. They were decent. Oh they took the shit in the end but their agonising deliberation was insane.
I.e. they were decent. And stupid. If I'm too insane to leave bling out for them to see, they not only have a right to take it, they have a moral responsibility to take what I do not value but which can ease their suffering.
I ran the same trick on respectable members of society in the sense that they would imprison junkies for not being the sociopaths they were. I watched to see if they would do the same. They didn't.
They just took the shit. It was optimal, in a sense. It would have been if it wasn't a test. Sociopaths are insane as batshit. Narcissists are no better, but not dangerous. They don't consider you. Sociopaths do. Their ethos is the same. It amounts to ME ME ME and FUCK YOU.
Why?
Doesn't matter. Just fuck you. They'll figure out a rationalisation later.
Imagining that what they cannot understand and isn't tailored to their (insane) preferences, is incoherent and insane.
If you got this far, bully for you. I'll tailor what is in your interests to know the day I believe it is in my interests to package Truth for you in a way that panders to your imbecilic worthlessness. Looks like that day is not today. Connect the fucking dots on my valuation of your worth.
But then, I get nothing out of your worthless ignorance? A couple million USD, some pretty girls I despised because they were the robots I didn't realise were actually not fooled by me. Only I fooled me. They just needed me to pass the test and I passed it. That test was not to fool them. It was to make the effort at 'disinterest' the most convincing. I only fucking fooled myself imagining I was fooling girls who were quite incapable of imagining a heterosexual male would be disinterested in them. I fucked up logic and ran away in shame at the beast I'd become. Raping women with my mind? I'd become the horrors the CoG dream of being.
The joke was on me. Then it was on the girls who fucked up the processing of my shame. Some fell in love for the first time in their lives. The horror of my 'power' that I imagined I had but didn't want and didn't have, made me the most horrifying person alive. In trying to be cruel to be kind, but unwilling to admit my shame (they wouldn't have believed me anyway, everyone says "It's not you it's me.") I viciously did not give them mixed signals. I was giving myself mixed signals. They were not confused, so they got impossibly confused about my 'value'.
I'm a winner in ways no human (who values insanity) can possibly fathom. My shame is indescribable. I had no reason to be ashamed. But then when girls you love hang because they think you have value when you know you are worthless...my 'power' (which was nothing more than my incapacity to fuck up the processing they fucked up in this world of emotional deceit) terrified me into very nearly swinging as well (but christ I'm a coward, I'd choose a less dramatic way to check out).
This is winning, in reality. This is the dreaming imbeciles imagine I could have a motive to brag about, when I'm so horrified by their incapabity to be sane that they would quote (as you did once) poker cred as something that should impress me. I fire back the bitch slap such insanity deserves and Toddlers imagine I'm trying to impress them. You ever see me try to impress you? How insultingly stupid do you have to be to imagine that I am so stupid that I would impress you by lording it over you?
I'm not that stupid.
Why. Is that something you imagine is manipulative? Oh you have no idea about emotional manipulation. I can be manipulative. So manipulative, I fool my own fucking dumb face. Hey, we're alike in that way!
We're fools. We're so stupid, you cannot comprehend it. We're the product of 3500 years of lies intended to make everyone more stupid than us. Connect the dots on our insanity.
3500 years of Truth? You cannot imagine and neither can I, how fucking far into the galaxy we'd be. We'd be gods, or to our minds now, we would be indistinguishable. You understand how sanity works v insanity (which doesn't)?
If you don't, that's my winning argument. That's the evidence. You cannot even see the value in being sane. That's literally a guarantee we will burn. The only thing I'm afraid of is being wrong.
This is a miserable race to propagate. Anyone who is happy is a provable sociopath in this world of suffering and misery where every child is raped, even when we're not - technically - ass-fucked by those who are shrewdly more powerful than children. *teehee*
I'm a winner, I've always been one. Winners are powered by pain and misery. By the desire to impress those who - unless they were 'stupid' - would never admit to being impressed. They're unimpressed because they'll never be impressive. They will be impressed only with those they strive to make unimpressive with their need and their envy and their latent hatred of those who make them look bad but make them feel good. They're confused. They want to suffer. They think being perceived to be superior is how they feel good. Really?
You're superior to leeches, but then that is debatable. Literally they're not as inhumane as humans. That's what we've been reduced to and you think I'm happy about being brighter than those who I blamed for causing me misery when I was too stupid to understand what was causing me misery was this thing cause "empathy" and the suffering I inflicted was felt by me. I didn't care about them. I only cared about me. How do you think I did on the Test of Selfish Sanity?
I failed. Because I'm an imbecile. I'm the product of imbeciles who lie to children. So are you. I made easy money and I tell you it's misery. You feel there is something wrong with me, I'm brighter in ways you cannot comprehend but you still think I'm insane and that you would be sane when you don't have the capacity to understand you'll never learn that Truth the hard way because you're not powered by pain.
So you'll never be a winner. You'll just be envious of the 'luck' of winners. Vomit.
I didn't learn Truth until I learned Truth the hard way. That's not the best way to learn; that's the only way you can learn in this world of imbecilic liars who give advice to children to be exploitable.
So we all learn the hard way.
Except for those who already know everything. You're not bright enough to learn the hard way. Keep plugging away there, chump. Keep imagining that those who learned the Hard way, and have literally no motive to lie to you (there's no money in Truth, what am I selling?) are loopy or insane because you're too stupid to understand they destroyed you and bought themselves misery. But you wouldn't. you'd buy yourself happiness. Well you aren't Bob and I doubt even Bob is happy. Anyone who is happy in this world of horror is suspiciously sociopathic.
You know, that cursed "empathy" that gives your happiness away and makes it suspiciously nauseatingly.
You know I'm unhappy. Humans kill children by the billions. How can I be happy knowing this insanity is not only tolerated but envied?
All of this is too hard to read? Yeah, that's why I destroyed you. I don't find reading hard.
Do you? I'd remedy that if I were you.
But then I'm not. I've never been. I've never been good, just confused. I'm not good now, I'm 100x better. I'm Selfish and trending towards Sanity. You could be so good you understand that there is no such thing as good, merely Selfishly noble humane humans.
It's unfortunate that you're not as Selfish as I am. It's unfortunate for you, but it's mostly unfortunate for me. I gain nothing from your misery but pain. I'm a winner in a world where winners are made to suffer by those who simultaneously hate them and envy them because they have the 'capacity' to be powered by pain in ways you will never be sane enough to endure.
Test for sanity:
Would you rather be:
a) the brightest person in the world?
or
b) the dumbest person in the world?
If you chose a, you cannot do logic and you're too stupid to express your opinion on anything because you want everyone to be dumber than you.
If you chose b, you're sane. Whooptie fucking do. Go have a jerk and take a shit and get ready to suffer in a world of imbeciles who smirk at how they're stupidly happy. They're the reasons why everyone (so few, but then they come in waves of babies) suffers. Yeah they're not shrewd. They're the evil that is too insane to be culpable. But then they should not be allowed to breed misery.
Go be sane in this world. Enjoy your suffering. That's your prize for winning in a world of insane shrewd fools who don't want to win.
Attn Sonatine Unix questions
Hybrid Mode
