-4

I have created this script and it runs great, but important questions remain.
Is this script useful and secure? Does it have any possible problem or weakness?

root@010010:/# ls -la /root/screenshot0004.jpg 
-r-x------ 1 root root 494 Aug 14 14:08 /root/screenshot0004.jpg

root@010010:/# cat /root/screenshot0004.jpg
#! /bin/bash
# script runs via cron every 10 minutes
# the "#" stand for any possible letter or number

pw0=$(uname -r)
pw1=$(date +%d%m)
pw2=$(date +%d%m%H%M)
random=$(tr -dc [:digit:] </dev/urandom | head -c2)
random2=$(tr -dc [:alnum:] </dev/urandom | head -c$random)
path="/tmp/.$random2"
echo "user:*##*$pw1*##*" > $path
echo "root:*######*$pw2*######*" >> $path
chmod 0400 $path
# gpg for backup reason
gpg --yes --batch --symmetric --cipher-algo twofish --digest-algo sha512 --passphrase #$pw0# -o /home/user/project.png $path
chpasswd -c SHA512 -s 1000000 < $path
shred -un2 $path

exit 0
Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
Nick
  • 5
  • 6
    What is it that you are trying to accomplish? – Neil Smithline Aug 14 '15 at 16:40
  • A higher level of security. However, i am unsure if this is a safe option, and wonder if i've missed something, perhaps a weak point. – Nick Aug 14 '15 at 16:54
  • @NeilSmithline: The OP seems to implement a [one-time password](https://en.wikipedia.org/wiki/One-time_password) solution where the changing part of the password is a plain date instead of a secret-key based challenge result. – WhiteWinterWolf Aug 14 '15 at 16:58
  • 4
    What @NeilSmithline is asking is: what does the script do? What is the intended outcome? You've submitted code without any documentation or comments. – schroeder Aug 14 '15 at 17:24
  • Sorry but, for linux users this script is very easy to read, there is no need to comment every codeline. WhiteWinterWolf has succeeded. – Nick Aug 14 '15 at 17:37
  • 6
    @Nick You're asking for weaknesses with your implementation but won't document what your code does for those who aren't familiar with it? Will you accept an answer written in assembly? –  Aug 14 '15 at 17:54
  • 1
    @schroeder By my analysis, the goal of this script is to allow a local user to gain root about twice a day. – Gilles 'SO- stop being evil' Aug 14 '15 at 18:12
  • Kidding? http://security.stackexchange.com is largely a platform for advanced users who may read these lines of code right away. If you need a documentation of these simple lines of code, then you can not answer the question also professionally. The script has less than 15 lines of code that is not a script by hundreds of lines of code that necessarily makes a documentation needed. – Nick Aug 14 '15 at 18:23
  • 6
    Nick, you're asking if it is useful, and you do not indicate what 'use' you have for it. We are professionals and we can read the code just fine, but we can't read your mind. What IMPACT do you want this sequence of commands to have? – schroeder Aug 14 '15 at 18:29
  • 3
    @Nick: People answering your questions here do this for free on their own time. That's why it is warmly welcome to have clear questions clearly stating what you are trying to achieve, what you did try until now and what is your remaining question. Feel free to check the "[How to ask](https://security.stackexchange.com/help/how-to-ask)" section from this website help for more information. – WhiteWinterWolf Aug 15 '15 at 10:32
  • 1
    @Nick I find it funny that a user with 1 reputation is trying to tell our elected moderator what this site is all about. As WhiteWinterWolf suggests, have a look at the Help section for ideas on the kinds of questions that we like to see in this community. Better questions tend to get better answers. – Mike Ounsworth Aug 17 '15 at 01:31

1 Answers1

5

Bugs in your script

If you think this script runs great, you haven't tested it enough.

There is a classic vulnerability in your script: insecure temporary file. You attempted to protect from it, but in an overly complicated way, and you shot yourself in the foot.

random=$(tr -dc [:digit:] </dev/urandom | head -c2)

random is set to two random digits. There's a 1% chance that this returns 01, which causes random2 to be set to a string of length 1. If you run this script every 10 minutes, this happens about once or twice a day. (Actually that's an underestimate: the vulnerability remains practically exploitable if for 02 (~4k files) and perhaps 03 (~240k files).) A local user can create all the files /tmp/.0, /tmp/.1, etc. When the 1% chance hits, your script writes to a file owned by that user then reads back from it. The user can modify the file in the meantime to put their preferred root password. This is a race condition, so an exploit might not be 100% reliable, but it should only take a few days of waiting before it succeeds.

Another vulnerability that doesn't require a race condition on top of the random chance is that the local user could create a symbolic link, allowing them to truncate a file of their choice (your call to shred truncates the file contents, then removes the link).

There's also a 3% chance that random2 will be an empty string: when random is 00. In that case, your script runschmod 0400 /tmp`. That's going to cause a lot of disruption.

Lessons learned

Well, lessons to learn, at any rate.

  • Catch errors. Your script assumes that everything happens correctly and keeps going forward even if it's just banged its head against a wall. Use set -e to abort the script if an error occurs. (It doesn't always suffice in complex scripts, but here it would have been enough.)
  • Use standard tools in preference to home-built solutions. To create a temporary file, use mktemp.
  • Understand why you're doing things. Creating a file in /tmp with a random name protects against insecure temporary files. But making the length of the name random makes no sense. It's a security parameter. Make it constant, or make it vary based on the configuration or the environment if it's a compromise between security and usability or performance; in this case, you could make it large enough at no performance penalty.
  • The best way to protect data is not to expose it. Using a temporary file is not useful here: you could have piped the data to chpasswd. If you pipe the data, it's never in a disk file in the first place, so you don't need to worry about creating the temporary file securely and you don't need to worry about wiping it afterwards.

No security gain

Including the current date in a password is pointless. The point of passwords is to be secret. Everybody knows the date.

Changing a password doesn't make it any harder to crack. The attacker's goal is to find the current password, whichever it is. That the password changed in the past and will change in the future doesn't matter.

If somebody cracks your password at a given time and it no longer works later, they'll see the date and figure out pretty quickly what they need to change.

Instead of adding a public element to your password, make it longer, with a secret, randomly generated element. That'll make it harder to memorize, but you only need to memorize it once, and you don't need to change it. Password changes don't improve security for a shell account, where once the attacker has had access, they can plant a backdoor that doesn't depend on the password. XKCD #936: Short complex password, or long dictionary passphrase? describes a good method to generate a strong yet memorable password.

More lessons

You shouldn't design a security system until you get better at doing security assessments.

  • Trying to improve security by adding a public value to a password.
  • That file name length issue.
  • Calling the script screenshot.jpg may look cute, but it actually has zero security advantage, and the only person it could harm is you, if you accidentally delete that old useless screenshot.
Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
  • Thank you for this explanation which shows me my mistakes. To call the script screenshot.jpg, should serve a form of obfuscation, so seen to camouflage the script unimpressive. An accidental deletion i exclude, because i know my system. Why would the hide without benefits? – Nick Aug 14 '15 at 18:37
  • Thanks for the tips, but i know very well how to create a good password. My encryption password is very complex and 40+ characters long. ;) The script was an attempt perhaps to complicate something, but i see myself that i have not thought a lot. :) – Nick Aug 14 '15 at 19:02
  • 2
    @Nick Security by obfuscation has no benefit. And if you think adding the date makes a password more secure, then sorry, but no, you do not know how to create a good password. – Gilles 'SO- stop being evil' Aug 14 '15 at 20:17
  • No, the problem was not the lack of knowledge about passwords, but the reckless handling of it via script, which is why doubts arose on my part. There was plenty of thoughtless of me, in spite of that i would know better. It was an bad idea. Nevertheless, thanks for the effort. – Nick Aug 14 '15 at 21:09