Ubuntu – Is it a security risk if the /tmp folder is not owned by root

SSH via a password is less secure than SSH with a DSA/RSA certificate. Create a certificate with a password. Then give the sys admin account a different password.

You will only be able to login via SSH if you have the certificate AND know the password associated with it.

You can then use a different password for running sudo (the user's password).

This gives you a lot more security!

Remember to use pass phrases and not passwords too. The difference being a pass phrase is made up of many words (greater than 20 characters say). The longer the password, the more time it would take to break via dictionary attacks.

To create a certificate:

• type ssh-keygen at a terminal and follow the instructions (giving a unique filename and enter your pass phrase)
• then copy the public key onto the server you are administering using ssh-copy-id -i path/to/your/sshkey.pub
• Now log on to your server and turn off password authentication in /etc/ssh/sshd_config and restart the sshd service

This was a bug in pam_motd that has long since been patched out:

pam_motd (aka the MOTD module) in libpam-modules before 1.1.0-2ubuntu1.1 in PAM on Ubuntu 9.10 and libpam-modules before 1.1.1-2ubuntu5 in PAM on Ubuntu 10.04 LTS allows local users to change the ownership of arbitrary files via a symlink attack on .cache in a user's home directory, related to "user file stamps" and the motd.legal-notice file.

This basically translates to, while logging in with SSH, PAM (the authentication module, running as root) would try to chown $USER: ~/.cache. It didn't look to see what that was so the ownership change was propagating to the linked file.

That allowed you to own and then edit the system files and gain root-level access.

While .cache was symlinked to /etc/{passwd,shadow} they could have echoed into .cache... But why bother? By that point those files had their file ownership changed to $USER. They were freely editable.

Just in answer to your comments:

• It doesn't give you permission, it (or I should say its PAM module) is the thing changing the ownership. But yes, PAM doing what it did was the problem.

• The symlink to ~/.cache is just a redirect for the exploit. Is required so that when you log in PAM (running as root) tries to chown the linked file. That's the exploit there.

• It was an oversight and it was fixed by dropping privileges before entering into any of that code.