Author Topic: I think there is a very serious security vulnerability in CWP right now.  (Read 1480 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
I think I found another issue with the security problem:

awk -F: '{print $1 ":" $7}' /etc/passwd

root:/bin/bash
bin:/bin/bash
daemon:/bin/bash
adm:/bin/bash
lp:/bin/bash
sync:/bin/sync
shutdown:/sbin/shutdown
halt:/sbin/halt
mail:/bin/bash
operator:/sbin/nologin
games:/bin/bash
ftp:/bin/bash
nobody:/bin/bash
systemd-network:/bin/bash
dbus:/bin/bash
polkitd:/bin/bash
sshd:/bin/bash
postfix:/bin/bash
chrony:/bin/bash
mysql:/sbin/nologin
saslauth:/bin/bash
dovecot:/bin/bash
dovenull:/bin/bash
tss:/bin/bash
named:/bin/bash
cwpsrv:/bin/bash
cwpsvc:/bin/bash
clamupdate:/bin/bash
amavis:/bin/bash
clamscan:/bin/bash
vmail:/bin/bash
vacation:/bin/bash
opendkim:/bin/bash
rpc:/bin/bash
firebird:/bin/nologin
ldap:/bin/bash
redis:/bin/bash
tcpdump:/bin/bash

I don't know if this was default configuration but it might be the attacker who set all these services to /bin/bash so I did this:

for user in bin daemon adm lp mail games ftp nobody systemd-network dbus polkitd sshd chrony saslauth tss rpc tcpdump; do
    usermod -s /sbin/nologin "$user"
done

Offline
*****
FYI, the named default shell assignment is /bin/false.

All of my users don't have shell access, so they too are /sbin/nologin. root, sync, shutdown, halt, and apache are some of the few that have a valid shell assignment. Even cbpolicyd has the /sbin/nologin shell assignment.