Imagine you have a small server application running. You can run it as root, some user with login shell, or some user without login shell.
Your server application gets hit with a buffer overflow attack (for example, it could get hit with any range of other attacks as well). The attack's payload is set to insert an ssh key into $HOME/.ssh/authorized_keys, meaning the attacker can then ssh to the host machine without a password.
As root, the attacker just compromised the entire machine. As normal user, the attacker can login then launch priv. escalation attacks to gain root. As user w/nologin, the attacker is stuck out in the cold.
Make sense?
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Last edited by rocket357; 30th June 2011 at 03:19 PM.
|