5

I've been challenged with auditing a systems security on a scenario and giving various areas we have to audit. Most of which were easy to understand and to provide vulnerabilities as well as mitigating them. However One of them is usernames, in which I have no clue whatsoever. I was guided and told to use sudo su and less /etc/passwd to see a list of usernames, easy enough.

The only potential vulnerability is that you can't crack/use a password to gain access to an account if you don't have a username, so what could anyone do to mitigate that? It's had me stumped for weeks.

TheJordyluke
  • 51
  • 2
  • 1
    Flagged as a duplicate of one question, but there are more: http://security.stackexchange.com/search?q=is%3Aq+user+name –  Mar 22 '16 at 20:12
  • 2
    When you looked at the passwd file (which you should be able to see as a normal user, too; not to mention that if you can `sudo su` you already have full control over the system): could you see the password hashes? Keeping them in `/etc/passwd` instead of `/etc/shadow` could be considered a vulnerability. –  Mar 22 '16 at 20:19
  • 1
    @drewbenn Ah interesting: `-rw-r--r--. /etc/passwd`, `---------. /etc/shadow`. So any user of the system can see `/etc/passwd` and get the list of users and their details, but even the password _hashes_ are only readable by root. In that case, an upvote for Phill Lello's answer for using an off-board authentication server so that there's nothing to see in `/etc/passwd`. – Mike Ounsworth Mar 22 '16 at 20:46
  • 1
    Not just `passwd`, though: you can probably infer usernames from `/etc/group`, you can see logged-in users through [/var/run/utmp](https://www.freebsd.org/cgi/man.cgi?query=utmp&manpath=SuSE+Linux/i386+11.3) and utilities that use it (who, finger, pinky, etc.), you *may* be able to infer some usernames from `/proc` entries. Usernames probably get leaked in plenty of other places, too: on UNIX systems there is generally the assumption that, if you already have an account, you can see who else has an account. It's *doable* but there's a lot of work and you have to dot all your `i`s. –  Mar 22 '16 at 21:05
  • Arguably not a dupe of the linked question, since it's valid to provide a Linux example of how to avoid /etc/passwd here, but would narrow the scope on the linked question. – Phil Lello Mar 23 '16 at 15:33

3 Answers3

3

You could mitigate this by using an external server (perhaps LDAP, Samba, NIS, ..) for user authentication, and either using a network filesystem (NFS, Samba, ..) for home directories, and/or making those based on UID rather than username.

If you decide to implement this, double-check the network authentication doesn't stuff entries into the password file - IIRC, some systems do this.

Although usernames aren't often seen as a risk, it's 50% of the information needed in a user+password/key authentication mechanism - and it's why a well behaved login mechamism will say 'bad username or password' and not 'bad password'.

Another consideration is that in some circumstances, a username maps easily to an email address, so can be used by an attacker to harvest useful data.

A more paranoid consideration is that on a multi-user solution, an authorised user who wants to hack would probably want to work under someone else's login.

Phil Lello
  • 1,122
  • 10
  • 15
1

In general I agree that a username is not considered sensitive information, but I have heard of scenarios in which you don't want to go around advertising your user list.

Consider a *nix server that accepts SSH connections. A good SSH implementation will not tell you whether your login failed because of the username or the password. Without a list of usernames, an attacker has to guess both username and password. Granted, these are not the holy-grail root user, but you never know, one of them might be in sudoers. Also granted, a clever attacker probably has other ways of sniffing usernames, but it's a thought...

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
0

You answered the question yourself, seeing the user names is not a vulnerability. Even if, normally an attacker or insider would only be interested in one account, and that is root. You could restrict the possibilities to display other users on the system, but it's the root user you can not hide and which is the only relevant.

AdHominem
  • 3,006
  • 1
  • 16
  • 26
  • 1
    Usernames are sensitive. If you disagree, please add a comment with your internet banking username and login url. – Phil Lello Mar 22 '16 at 20:25
  • 1
    It's more about enumerating usernames is trivial if you are a user of a Linux system. Bank accounts are stored in databases which are much harder to enumerate. – AdHominem Mar 22 '16 at 20:30
  • 1
    It depends on how NSS is configured, and which backend you're using for usernames. See http://linux.die.net/man/5/nsswitch.conf – Phil Lello Mar 22 '16 at 20:35