SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts
James Sutherland
jas88 at cam.ac.uk
Thu Feb 10 07:33:09 GMT 2000
On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton wrote:
> On Thu, 10 Feb 2000, James Sutherland wrote:
>
> > On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton wrote:
> >
> > > > > This trick is bad. The SAM daemon should only open its DB at startup and
> > > > > after any event where it must close it for maintenance (say,
> > > > > rewriting). Access to the records in SAM db must be controlled not by
> > > > > the DB's file permissions but by code in the SAM daemon (and ACLs,
> > > > > implicit or explicit, in the SAM DB).
> > > >
> > > > Agreed - if Unix file permissions are used, then either users have full
> > > > access to the entire SAM file, or no access to it at all. Neither is
> > > > really desirable, I suspect? :)
> > >
> > > well, that's microsoft's stupid fault, they shouldn't have allowed
> > > anonymous access to the damn SAM database over DCE/RPC.
> > >
> > > i.e if you can get the SAM remotely using DCE/RPC, who give a *monkey's*
> > > if the same info (and only the same info) is available by telnet to a box
> > > and vi some-sam-database-file????
> >
> > One problem: If I can write the password list file (so I can change my
> > password), I can also write to anyone ELSE's password entry. Not to
> > mention read their (plaintext equivalent) password.
>
> yes. that's why i have owner-root, rw-r--r-- permissions on the SAM
> files, and why i want to create a syskey-like angorithm.
i.e. make the data available to any user, albeit obfuscated. Even MS
aren't that bad...
> or create an equivalent of /etc/shadow.
Which is what I was suggesting.
> > I know there are problems (BIG problems) with NT's protection (or lack
> > thereof) of the SAM database, but I didn't think it allowed anonymous
> > users to download the passwords?
>
> you're absolutely correct, they don't.... *giggle*
>
> what makes you think i will, either?
You just stuck the data in a world-readable file. OK, you want to
obfuscate it with some sort of encryption (bang go performance and/or
scalability; security died a few minutes ago) - but you still want the
data publicly available.
> [actually, if you add a BDC to a domain using NT4, you can use rpcclient's
> samsync command to pretend to be that BDC because the trust account
> password is BDCNAMEUNICODELOWERCASE, and grab the entire SAM database
> anonymously. the window of opportunity is between when the BDC is added
> to the domain during the BDC-install stage and when the BDC installation
> is compelted and yuou are presented , for the first time, with the
> ctrl-alt-delete box on the BDC.
>
> so yes, microsoft allows anonymous users to download the passwords, but
> not in the way you perceive or describe.
>
> the word from microsoft is that microsoft does not consider this to be a
> serious security risk, by the way. oh, and they've probably fixed it
> for nt5.]
This is an accidental security hole which they have now fixed - and you
want to copy and expand it!?
James.
More information about the samba-technical
mailing list