Surprised at being caught!
After a couple of uneventful weeks working from home, I returned to the office today just to get back into the fray. During the morning I was quite surprised to see an alarm generated by a daemon that I had written, this little bit of code was created for one reason and one reason only. It was created after the handover of a server, when I had carried out due diligence on the server I had found two back door accounts. Now just to enhance people’s understanding of backdoor accounts, the two accounts in question were both root accounts and they were both joey accounts – that is accounts where the user name and password are the same. As any systems administrator will tell you, this is not really what you want to see on one of your servers – particularly when there is dial in access and due to the support requirements this has to stay. It places all sorts of additional constraints on the admins of the system, in fact it’s a downright pain in the ass – because you have to pay more attention to the system than you normally would. However we had accepted the systems onto the network as we had been told to do by the business, although with certain reservations.

The planning for this event had been in place for a long time, I already knew what I had to do – I logged onto the server, kicked the user off and waited for someone to squeal. I didn’t have to wait long, I got a call within 15 minutes saying that the account was locked and that a certain user couldn’t log in to the server. I requested that the user call me and we would be able to resolve his or her problem, in due course I got the call and here is how the conversation went.

“Hello, this is Pedro El Chihuahua from The Mexican Hat Dancers Union, we had unrestricted access to your network and now we don’t – can you fix it for us?”

“Of course I can Pedro all you need to do is ask for access, then answer a simple question for me – why do you need root access to one of the servers on my network?”

“I need access because I have to do things, these are things that might be a little tricky to explain in simple terms. These Unix systems can be a little difficult to explain to you’re average administrator as they are quite complex!, from my experience it’s better if you just leave things as we’ve set them up.”

“Well what a coincidence Pedro, that is exactly what I was thinking. It’s lucky that we are both reading from the same Hymn Sheet – the one that says give any plonker access to your network and make sure that they can access the root account as they might need extra privelige to screw the network and systems up.”

“No not at all, all we want to do is run the sum command on a file.”

“Why do you think that you need root to do that”.

“Ahh! that’s what I meant when I said that these systems were a bit tricky, especially for the average administrator. You can’t access the sum command unless you’re root the system just tells you that the programme is not available. You need to know about Unix to be able to do these things, so if you could just let me back in – I’ll fix you’re problem.”

“Actually I don’t have a problem Pedro, you do! I’m not going to re-enable these accounts as you don’t need them, you can run the sum command as a regular user. All you have to do is ensure that your PATH is set up correctly, something that any average administrator will tell you. If you can’t find an average administrator, then you can always type /usr/sbin/sum and that works too”.

“Well there are a couple of other things that we do, we need root to work on the application as we installed it as root and only root can make changes”.

I pointed out that the application and the server would be decommissioned in the very near future, just a matter of a couple of weeks and that if they needed root access they could contact me. Although I could tell from the response that Pedro wasn’t happy, he accepted that this was the way things would have to be. He could go off and stamp all over his self awarded Sombrero, as any Mexican hat dancer would – after all it’s just like Morris dancing but less threatening.