User: Password:
Subscribe / Log in / New account


Shadow hardening

March 21, 2012

This article was contributed by Nathan Willis

The shadow password mechanism was introduced to provide increased security over the early Unix practice of stored salted-and-hashed passwords in /etc/passwd — but that fact by no means makes it perfect. The Openwall security-hardened Linux distribution (better known as Owl) offers its own alternative called tcb, built around per-user directories and Blowfish encryption. Recently developer Paweł Hajdan unveiled a similar project of his own, which utilizes several of tcb's improvements, but supplies them in what Hajdan hopes is an easier-to-manage design.

Originally, /etc/passwd contained a hashed version of each account's password. The file itself was readable by any user, which enabled features like looking up usernames by their UIDs, and other tricks unrelated to the passwords themselves. The trouble was that attackers could calculate hashes offline then compare their results against /etc/passwd looking for matches. Shadow shuts down that attack vector by separating the hashed password information into a separate file that is readable only by trusted processes. In a sense, both tcb and hardened-shadow take that same approach: separating unrelated information further to reduce the potency of attacks.

Taking care of passwords

Openwall's tcb mechanism stores salted-and-hashed passwords in a directory of its own, /etc/tcb/, beneath which there is a separate directory for each user. Each user's directory is owned by that user account, and contains their own private shadow file (e.g., /etc/tcb/linus/shadow) also owned by the user.

Both the per-user directory and its contents are in the auth group with the SGID bit set for the directory, which provides for additional password policy enforcement. Namely, the system can grant a process read-only access to password hashes and the password-changing tools use each user's private directory as scratch space for the temporary and lock files required during the process. Openwall maintains that this set-up eliminates the need for SUID-root binaries altogether.

Apart from the system password-changing utilities, most application programs access shadow password hashes through either Pluggable Authentication Modules (PAM) or the Name Service Switch (NSS) facility. Tcb provides a custom PAM module named pam_tcb and a corresponding NSS module named libnss_tcb that supersede their /etc/shadow-based alternatives, such as the pam_unix module. As a result, migrating from a shadow system to tcb should be completely transparent to other applications. Openwall provides its own patched suite of shadow utilities (including login, useradd, chpasswd, newgrp, and so on) patched to support /etc/shadow in addition to /etc/tcb/*/shadow (configurable via a switch in /etc/login.defs), as well as utilities to convert from shadow to tcb and vice-versa.

But Owl's tcb scheme also involves a change to Glibc, so that the crypt(3) function uses the Blowfish cipher. The existing Glibc crypt() offers MD5, SHA-256, and SHA-512 encryption methods. The tcb version patches in Blowfish support that is "mostly compatible" with OpenBSD's bcrypt. The principle advantage is that Blowfish can be configured to use as many set-up rounds as desired when generating the hash; thus administrators can increase the number of rounds over time to make attacks more and more computationally expensive as processor power increases.


Hajdan calls his package hardened-shadow, which he says is inspired directly by tcb. In a March 14 post to the owl-dev list, Hajdan asks for feedback from people interested in the project as well as help performing a security audit of the code.

Hardened-shadow is a reimplementation of the shadow utilities based on the original upstream sources, but supporting a somewhat tcb-like layout. The system uses /etc/hardened-shadow/, with a separate directory for each user account. But while tcb only stores a single shadow file for each account, hardened-shadow adds two more: a shell file and an aging file. The shell file allows chsh to modify the user account's default shell without having access to the shadow file, and aging holds the password expiration fields, which would eliminate the need for locking if administrators expired passwords before changing them, according to Hajdan.

In addition, hardened-shadow does not require a patched version of Glibc crypt(), and it supports more PAM options than does pam_tcb. Fans of the Blowfish algorithm might balk at the omission of their favorite cipher, but Hajdan has added a PAM parameter to pam_hardened_shadow that allows one to pass the hash algorithm as an argument. In the standard crypt() scheme, the hash algorithm used is designated by a token surrounded by $ characters — MD5 uses $1$, SHA-256 uses $5$, and so on. Hajdan believes making the PAM module indifferent to the hash algorithm makes the code more useful, so that Owl users can take advantage of Blowfish, while others can use their own cipher — and future-proofs it against new exploits that target particular ciphers.

On the down side, Hajdan admits that his code is currently incompatible with SELinux and with NIS. More importantly, of course, it is brand-new and virtually untested, so he advises against deploying it on any production systems.

Openwall's Alexander Peslyak (aka Solar Designer) offered several reasonable suggestions as feedback to Hajdan's list message. Among them were switching to a common open source license in place of Hajdan's current, custom license text, and building hardened-shadow around pam_tcb rather than implementing yet another PAM module with virtually the same goals. Hajdan's reply was that he felt pam_tcb's reliance on a patched Glibc made for too many packages, and that pam_tcb duplicated too many functions already found elsewhere in the tcb library.

Nevertheless, Peslyak said that Openwall would consider migrating to hardened-shadow's version of the shadow utilities (although not the PAM and NSS modules). The reason he gave was that Openwall currently maintains its patch set against a suite of tools that come from a blend of two different sources: the canonical shadow utilities, and a PAM-based implementation called SimplePAMApps. SimplePAMApps, however, is no longer being actively maintained. Owl and a few other distributions curate their own packages of it, but in the long run, synchronizing with an actively developed tool set is probably less work.

The shadowy future

Back in 2010, Hajdan submitted patches to the shadow utilities to enable optional support for tcb, a change that appears to have landed in the 4.1.5 release from February 2012. Nevertheless, tcb is still an essentially Owl-only tool. There does not seem to be much interest in packaging it among the large, "mainstream" distributions; in 2006 the idea was floated on the fedora-devel list where it was met with skepticism.

Some of the criticism from 2006 is questionable (for example, the concern that users could fill up the /etc filesystem by dumping files into their /tcb/ directories — the group permissions should prevent that), but others, such as requiring new methods for auditing password changes, may be more valid. Hardened-shadow does not alleviate all of those concerns, but by virtue of not requiring a patched Glibc, it at least stands a better chance of being packaged by other distributions.

Any hope for widespread deployment, however, will probably still need to address the SELinux incompatibility in the PAM module — and it will certainly need to wait for a proper security audit and more sets of eyes scrutinizing the code. Shadowed passwords were introduced to split up user account information in a manner that made security exploits harder. As both of these projects show, further division holds the possibility of protection against other attacks. Neither tcb nor hardened-shadow is a perfect solution, of course, but the existing shadow system is far from flawless, too, which is part of what makes a fresh re-examination of it such an interesting exercise.

Comments (34 posted)

Brief items

Security quotes of the week

“We wouldn’t share this with Google for even $1 million,” says [Vupen's Chaouki] Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”

Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who ­purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the ­explicit ­intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.

-- Forbes on security research firms selling exploits to governments

The more complicated answer is that many bad things can happen if your RNG breaks down, and some are harder to deal with than others.

In the rest of this post I'm going to talk about this, and give a few potential mitigations. I want to stress that this post is mostly a thought-exercise. Please do not re-engineer OpenSSL around any of the 'advice' I give herein (I'm looking at you, Dan Kaminsky), and if you do follow any of my advice, understand the following:

When it all goes terribly wrong, I'll quietly take down this post and pretend I never wrote it.
-- Matthew Green

[An] otherwise uninteresting article on Internet threats to public infrastructure contains this paragraph:
At a closed-door briefing, the senators were shown how a power company employee could derail the New York City electrical grid by clicking on an e-mail attachment sent by a hacker, and how an attack during a heat wave could have a cascading impact that would lead to deaths and cost the nation billions of dollars.
Why isn't the obvious solution to this to take those critical electrical grid computers off the public Internet?
-- Bruce Schneier

Comments (8 posted)

CyanogenMod to disable root by default

The CyanogenMod project has announced that access to the root account will be disabled by default on CM9 installs. "Shipping root enabled by default to 1,000,000+ devices was a gaping hole. With these changes we believe we have reached a compromise that allows enthusiasts to keep using root if they so desire but also provide a good level of security to the majority of users."

Comments (8 posted)

New vulnerabilities

chromium, v8: multiple vulnerabilities

Package(s):chromium, v8 CVE #(s):CVE-2011-3031 CVE-2011-3032 CVE-2011-3033 CVE-2011-3034 CVE-2011-3035 CVE-2011-3036 CVE-2011-3037 CVE-2011-3038 CVE-2011-3039 CVE-2011-3040 CVE-2011-3041 CVE-2011-3042 CVE-2011-3043 CVE-2011-3044 CVE-2011-3046 CVE-2011-3047
Created:March 16, 2012 Updated:November 7, 2012

From the openSUSE advisory:

Critical CVE-2011-3047: Errant plug-in load and GPU process memory corruption

Critical CVE-2011-3046: UXSS and bad history navigation.

High CVE-2011-3031: Use-after-free in v8 element wrapper.

High CVE-2011-3032: Use-after-free in SVG value handling.

High CVE-2011-3033: Buffer overflow in the Skia drawing library.

High CVE-2011-3034: Use-after-free in SVG document handling.

High CVE-2011-3035: Use-after-free in SVG use handling.

High CVE-2011-3036: Bad cast in line box handling.

High CVE-2011-3037: Bad casts in anonymous block splitting.

High CVE-2011-3038: Use-after-free in multi-column handling.

High CVE-2011-3039: Use-after-free in quote handling.

High CVE-2011-3040: Out-of-bounds read in text handling.

High CVE-2011-3041: Use-after-free in class attribute handling.

High CVE-2011-3042: Use-after-free in table section handling.

High CVE-2011-3043: Use-after-free in flexbox with floats.

High CVE-2011-3044: Use-after-free with SVG animation elements.

Mageia MGASA-2012-0324 webkit 2012-11-06
Ubuntu USN-1524-1 webkit 2012-08-08
Ubuntu USN-1617-1 webkit 2012-10-25
Gentoo 201203-19 chromium 2012-03-25
openSUSE openSUSE-SU-2012:0374-1 chromium, v8 2012-03-16

Comments (none posted)

gif2png: code execution

Package(s):gif2png CVE #(s):CVE-2010-4695
Created:March 16, 2012 Updated:March 21, 2012

From the Gentoo advisory:

The patch for CVE-2009-5018 causes gif2png to truncate GIF pathnames (CVE-2010-4695).

Gentoo 201203-15 gif2png 2012-03-16

Comments (none posted)

gnash: heap-based buffer overflow

Package(s):gnash CVE #(s):CVE-2012-1175
Created:March 20, 2012 Updated:March 27, 2012
Description: From the Debian advisory:

Tielei Wang from Georgia Tech Information Security Center discovered a vulnerability in GNU Gnash which is caused due to an integer overflow error and can be exploited to cause a heap-based buffer overflow by tricking a user into opening a specially crafted SWF file.

Gentoo 201207-08 gnash 2012-07-09
openSUSE openSUSE-SU-2012:0415-1 gnash 2012-03-27
Fedora FEDORA-2012-4032 gnash 2012-03-26
Fedora FEDORA-2012-4070 gnash 2012-03-26
Debian DSA-2435-1 gnash 2012-03-20

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2012-1146 CVE-2012-1179
Created:March 19, 2012 Updated:June 1, 2012
Description: From the Red Hat bugzilla [1], [2]:

1) There is an issue when memcg unregisters events that were attached to the same eventfd:

- On the first call mem_cgroup_usage_unregister_event() removes all events attached to a given eventfd, and if there were no events left, thresholds->primary would become NULL;

- Since there were several events registered, cgroups core will call mem_cgroup_usage_unregister_event() again, but now kernel will oops, as the function doesn't expect that threshold->primary may be NULL.

2) In some cases it may happen that pmd_none_or_clear_bad() is called with the mmap_sem hold in read mode. In those cases the huge page faults can allocate hugepmds under pmd_none_or_clear_bad() and that can trigger a false positive from pmd_bad() that will not like to see a pmd materializing as trans huge.

A privileged user in the KVM guest can use this flaw to crash the host. An unprivileged local user could use this flaw to crash the system.

Oracle ELSA-2013-1645 kernel 2013-11-26
openSUSE openSUSE-SU-2013:0927-1 kernel 2013-06-10
openSUSE openSUSE-SU-2012:1439-1 kernel 2012-11-05
Oracle ELSA-2012-0862 kernel 2012-07-02
Oracle ELSA-2012-2022 kernel 2012-07-02
Oracle ELSA-2012-2022 kernel 2012-07-02
openSUSE openSUSE-SU-2012:0799-1 kernel 2012-06-28
Red Hat RHSA-2012:1042-01 kernel 2012-06-26
Oracle ELSA-2012-2021 kernel 2012-06-23
Oracle ELSA-2012-2021 kernel 2012-06-23
Oracle ELSA-2012-0743 kernel 2012-06-21
Oracle ELSA-2012-2020 kernel 2012-06-21
Ubuntu USN-1458-1 linux-ti-omap4 2012-05-31
Ubuntu USN-1440-1 linux-lts-backport-natty 2012-05-08
Ubuntu USN-1433-1 linux-lts-backport-oneiric 2012-04-30
Ubuntu USN-1431-1 linux 2012-04-30
SUSE SUSE-SU-2012:0554-2 kernel 2012-04-26
SUSE SUSE-SU-2012:0554-1 Linux kernel 2012-04-23
openSUSE openSUSE-SU-2012:0540-1 kernel 2012-04-20
Ubuntu USN-1422-1 linux 2012-04-12
Ubuntu USN-1421-1 linux-lts-backport-maverick 2012-04-12
Fedora FEDORA-2012-3715 kernel 2012-03-26
Ubuntu USN-1405-1 linux 2012-03-27
Ubuntu USN-1406-1 linux 2012-03-27
Ubuntu USN-1407-1 linux 2012-03-27
Fedora FEDORA-2012-3712 kernel 2012-03-17
Scientific Linux SL-kern-20120619 kernel 2012-06-19
CentOS CESA-2012:0743 kernel 2012-06-19
Red Hat RHSA-2012:0743-01 kernel 2012-06-18

Comments (none posted)

libapache2-mod-fcgid: excessive resource consumption

Package(s):libapache2-mod-fcgid CVE #(s):CVE-2012-1181
Created:March 20, 2012 Updated:March 21, 2012
Description: From the Debian advisory:

It was discovered that the Apache FCGID module, a FastCGI implementation, did not properly enforce the FcgidMaxProcessesPerClass resource limit, rendering this control ineffective and potentially allowing a virtual host to consume excessive resources.

Gentoo 201207-09 mod_fcgid 2012-07-09
Debian DSA-2436-1 libapache2-mod-fcgid 2012-03-19

Comments (none posted)

libpng10: code execution

Package(s):libpng10 CVE #(s):CVE-2011-3045
Created:March 19, 2012 Updated:April 2, 2012
Description: From the Red Hat bugzilla:

A type conversion flaw leading to an out-of-bounds heap buffer read was found in the way libpng, a library of functions for manipulation PNG image format files, performed expansion of certain iCCP, iTXt, and zTXt PNG image file chunks.

A remote attacker could provide a specially-crafted Portable Network Graphics (PNG) image file, which once opened in an application, linked against libpng, could lead to denial of service or in some cases, execution of arbitrary code with permission of the user running such an application.

Slackware SSA:2012-206-01 libpng 2012-07-24
Gentoo 201206-15 libpng 2012-06-22
openSUSE openSUSE-SU-2012:0466-1 chromium 2012-04-04
Fedora FEDORA-2012-3705 libpng 2012-03-31
openSUSE openSUSE-SU-2012:0432-1 libpng12, libpng14 2012-03-30
Fedora FEDORA-2012-3739 libpng 2012-03-24
Debian DSA-2439-1 libpng 2012-03-22
Scientific Linux SL-libp-20120321 libpng 2012-03-21
Ubuntu USN-1402-1 libpng 2012-03-22
Oracle ELSA-2012-0407 libpng 2012-03-20
Oracle ELSA-2012-0407 libpng 2012-03-20
Mandriva MDVSA-2012:033 libpng 2012-03-21
CentOS CESA-2012:0407 libpng 2012-03-21
CentOS CESA-2012:0407 libpng 2012-03-20
Red Hat RHSA-2012:0407-01 libpng 2012-03-20
Fedora FEDORA-2012-3536 libpng10 2012-03-19
Fedora FEDORA-2012-3545 libpng10 2012-03-19

Comments (none posted)

minitube: insecure tmp file handling

Package(s):minitube CVE #(s):
Created:March 16, 2012 Updated:March 21, 2012

From the Gentoo advisory:

Tomáš Pružina reported that Minitube does not handle temporary files securely.

A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application.

Gentoo 201203-18 minitube 2012-03-16

Comments (none posted)

nginx: information disclosure

Package(s):nginx CVE #(s):CVE-2012-1180
Created:March 20, 2012 Updated:April 5, 2012
Description: From the Debian advisory:

Matthew Daley discovered a memory disclosure vulnerability in nginx. In previous versions of this web server, an attacker can receive the content of previously freed memory if an upstream server returned a specially crafted HTTP response, potentially exposing sensitive information.

openSUSE openSUSE-SU-2012:0469-1 nginx-1.0 2012-04-05
Fedora FEDORA-2012-4006 nginx 2012-03-31
Fedora FEDORA-2012-3991 nginx 2012-03-31
Mandriva MDVSA-2012:043 nginx 2012-03-29
Gentoo 201203-22 nginx 2012-03-28
Debian DSA-2434-1 nginx 2012-03-19

Comments (none posted)

openswan: denial of service

Package(s):openswan CVE #(s):CVE-2011-2147
Created:March 16, 2012 Updated:March 21, 2012

From the Gentoo advisory:

Improper permissions are used on /var/run/ and /var/lock/subsys/ipsec (CVE-2011-2147).

Gentoo 201203-13 openswan 2012-03-16

Comments (none posted)

pidgin: two denial of service vulnerabilities

Package(s):pidgin CVE #(s):CVE-2011-4939 CVE-2012-1178
Created:March 16, 2012 Updated:March 26, 2012

From the Mandriva advisory:

The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin before 2.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by changing a nickname while in an XMPP chat room (CVE-2011-4939).

The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding (CVE-2012-1178).

Ubuntu USN-1500-1 pidgin 2012-07-09
Fedora FEDORA-2012-4595 pidgin 2012-03-24
Mandriva MDVSA-2012:029 pidgin 2012-03-16

Comments (none posted)

pyfribidi: code execution

Package(s):pyfribidi CVE #(s):CVE-2012-1176
Created:March 21, 2012 Updated:March 21, 2012
Description: Pyfribidi suffers from a buffer overflow exploitable via a four-byte Unicode character.
Fedora FEDORA-2012-3537 pyfribidi 2012-03-21
Fedora FEDORA-2012-3549 pyfribidi 2012-03-21

Comments (none posted)

python-mwlib: denial of service

Package(s):python-mwlib CVE #(s):
Created:March 19, 2012 Updated:March 21, 2012
Description: From the Fedora advisory:

It was reported that mwlib suffered from a flaw that could allow a remote attacker to perform a denial of service attack on a mwlib installation by forcing it to parse a specially-crafted #iferror magic function. This issue has been resolved in version 0.13.5.

Fedora FEDORA-2012-2994 python-mwlib 2012-03-17

Comments (none posted)

rubygem-actionpack: arbitrary HTML or webscript execution

Package(s):rubygem-actionpack CVE #(s):CVE-2012-1098 CVE-2012-1099
Created:March 19, 2012 Updated:May 9, 2012
Description: From the Red Hat bugzilla [1], [2]:

1) A cross-site scripting (XSS) flaw was found in the way the String class, used in Ruby on Rails, performed HTML escaping of SafeBuffer objects, when such objects were manipulated directly via '[]' method or other methods, also returning new instances of SafeBuffer object. By using these methods, such newly returned SafeBuffer instances would be inadvertently marked as HTML safe. If a Ruby on Rails application used SafeBuffer objects this way, a remote attacker could provide a specially-crafted input, which once processed by such SafeBuffer instance would pass the HTML escaping test without further filtering, possibly leading to arbitrary HTML or webscript execution.

2) A cross-site scripting (XSS) flaw was found in the way 'select' helper method of the Ruby on Rails performed HTML escaping of 'select' HTML tag options, when the tags were created manually. In this case, the select tag values might end up unescaped. A remote-attacker could provide a specially-crafted input to Ruby on Rails application, using select tags this way, which potentially resulted into arbitrary HTML or webscript execution.

Debian DSA-2466-1 rails 2012-05-09
Fedora FEDORA-2012-3321 rubygem-activesupport 2012-03-17
Fedora FEDORA-2012-3355 rubygem-actionpack 2012-03-17
Fedora FEDORA-2012-3321 rubygem-actionpack 2012-03-17

Comments (none posted)

systemd: removal of arbitrary system files

Package(s):systemd CVE #(s):CVE-2012-1174
Created:March 19, 2012 Updated:March 26, 2012
Description: From the Mandriva advisory:

A TOCTOU race condition was found in the way the systemd-logind login manager performed removal of particular records related with user session upon user logout. A local attacker could use this flaw to conduct symbolic link attacks, potentially leading to removal of arbitrary system files.

Fedora FEDORA-2012-4024 systemd 2012-03-26
Fedora FEDORA-2012-4018 systemd 2012-03-26
openSUSE openSUSE-SU-2012:0383-1 systemd 2012-03-19
Mandriva MDVSA-2012:030 systemd 2012-03-16

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds