A while back someone scarfed our password file, ran a cracker against it,
and compromised several hundred accounts. Before we could get that cleaned up
they managed to hack root access and remove our device files.
So, at that point I went to Sun's idea of C2 security, primarily for the
shadow password feature, only Sun's implementation sucks.
Seems that anybody in the world can through RPC's access pwdauthd and use
it to "guess" at accounts. This became apparent when the system slowed to a
crawl and the CPU time pwduathd used went through the roof. So I blocked that
port in the router.
The person then obtained a legitimate account and proceeded to run a
cracker that called pwdauth locally. They put a small delay between calls so
that it didn't totally max out the CPU. Even so they managed to compromise at
least 30 more accounts and bog the system so bad that legitimate users couldn't
get on. That individual is tossed off, but who knows how many accounts they
have access to that I don't know about.
What I want to do is create a pwdauthd and pwdauth system call that will
only work if the effective UID is root, otherwise return a no-match condition
even if the password is correct (so they won't know they're talking to a
modified daemon/system call).
I don't know a lot about RPC's so I was hoping not to have to invent this
wheel from scratch, ie, I was hoping I could find source that I could modify.