dla@chemsh.uucp (Doug Acker) (06/27/91)
I was doing some testing with edrgy and found that even in closed systems, it comes with a 755 protection. Which means anyone can run it. Any user can log in, run edrgy, change the root password and be on his merry way. I quickly changed all ours to 700. -- Douglas L. Acker ChemShare Corporation DesignMaster Division dla@chemsh.UUCP 713-267-5602
thompson@PAN.SSEC.HONEYWELL.COM (John Thompson) (06/28/91)
> I was doing some testing with edrgy and found that even in > closed systems, it comes with a 755 protection. Which means > anyone can run it. > > Any user can log in, run edrgy, change the root password and > be on his merry way. I quickly changed all ours to 700. No No No No No No No No No. Any user can log in and run edrgy. That is not the same as saying that anyone can change the registry database. There are four main owners of the registry (although most sites seem to have the same owner for all of them). The owner is a (possibly) wildcarded SID, such as 'root.%.%' or '%.sys_admin.%' or 'thompson.sys_admin.sys_org'. The four ownerships are entire registry 'person' domain 'group' domain 'org' domain The owner of the registry can change the owner of any domain, can run rgy_admin, and can run rgy_merge. The owner of each domain can create entries in his domain, and can assign ownership to that name (for instance, as owner of the 'group' domain, I could create a group 'r_and_d' and assign joe_admin.r_and_d.% as the owner of it. In addition to the four main owners, then, each person, each group, and each org has an owner too. (Again, most sites seem to keep one SID as the owner of everything.) These owners can do things too -- An owner of a org can : Add/Del members (persons that already exist) Change the properties of the org Delete the org An owner of a group can : Add/Del members (persons that already exist) Change the properties of the group Delete the group An owner of a person can : Change the props of the person (full name, etc) Delete the person Add accounts for the person, IF THEY ALSO OWN THE GROUP AND ORG OF THE NEW ACCOUNT, OR IF THE PERSON HAS BEEN MADE A MEMBER OF THE GROUP AND ORG ALREADY (by their owners). So what can joe_user do, if he's not an owner? Well, he can view the registry, but then, joe_unix_user can read /etc/passwd, so there's no added security breach. Incidentally, all this info was found in the "Administering The Domain/OS Registry" manual. Might I suggest you RTFM? -- jt -- John Thompson Honeywell, SSEC Plymouth, MN 55441 thompson@pan.ssec.honeywell.com Avoid the rush -- Procrastinate Now!
wjw@ebh.eb.ele.tue.nl (Willem Jan Withagen) (06/28/91)
In article <9106272343.AA20474@pan.ssec.honeywell.com>, thompson@PAN.SSEC.HONEYWELL.COM (John Thompson) writes:
=>
=>
=> > I was doing some testing with edrgy and found that even in
=> > closed systems, it comes with a 755 protection. Which means
=> > anyone can run it.
=> >
=> > Any user can log in, run edrgy, change the root password and
=> > be on his merry way. I quickly changed all ours to 700.
=>
=> No No No No No No No No No.
[stuff copied from the manual deleted.]
I'll go along with what John says.
However there is the default setting with this:
which is %.%.%, and as a consequence everybody can change anybodies
items. :)
Change it with the defaults commando. You also might want to look at
the properties with 'properties'.
So for a more secure system you have to manually the change the default owners
of account, ... to something more restrictive: root.wheel.none ?
Furthermore are the default available accounts created with this rubish setting
which means that they have to be manually changed with the
'change xx -o owner' command (xx = person,group,org)
Just have a check with:
do person
v root -f
And if it goes %.%.% then correct it.
Willem Jan
--
Eindhoven University of Technology DomainName: wjw@eb.ele.tue.nl
Digital Systems Group, Room EH 10.10
P.O. 513 Tel: +31-40-473401
5600 MB Eindhoven The Netherlands