rees@pisa.ifs.umich.edu (Jim Rees) (01/11/91)
In article <9101101046.AA06527@apo.esiee.fr>, bonnetf@apo.esiee.fr (bonnet-franck) writes:
4 - The bad thing is that these files are NOT protected after their creation ...
Everybody has "pwrx" rights on these files, ouch !
This doesn't happen on my sr10.3 node. The rc files are copied from
/etc/templates using cpio and have the same rights as the templates. Maybe
it depends on whether you are using netman.bin_sh or netman.com_sh.
A more serious problem is that `node_data is often completely open, allowing
you to rename `node_data/etc and create your own. /etc/init should refuse
to run /etc/rc if it isn't owned by root.bonnetf@apo.esiee.fr (bonnet-franck) (01/11/91)
Hi,
We've found a security problem ( one more ! )
The problem is the following :
1 - When you boot a diskless machine on a disked partner the /sys/node_data.xxx
directory is created .
2 - Another directory is created : /sys/node_data.xxx/etc .
3 - The following files are newly created in that directory
rc
rc.local
rc.user
4 - The bad thing is that these files are NOT protected after their creation ...
Everybody has "pwrx" rights on these files, ouch !
As it is well known, when the machine bootup the rc and rc.local files
are executed with ROOT privileges !!! That means that anybody can :
- Edit this file.
- Write inside some dirty things.
- Reboot the machine.
- The dirty things are EXECUTED WITH ROOT PRIVILEGES at bootup ... !!!
5 - These files are protected at install on a disked machine, why aren't they
during the /sys/node_data.xxx creation ???
As Mr Spock could say : "This should be logical captain" .
Bye,
-------------------------------------------------------------------------------|
bonnetf@apo.esiee.fr | |
Frank Bonnet | Surfing ... |
E.S.I.E.E | |
BP99 93162 Noisy le Grand cedex.FRANCE. | the rest is details ! |
Fax : 33 1 45 92 66 99 | |
-------------------------------------------------------------------------------|chen@digital.sps.mot.com (Jinfu Chen) (01/12/91)
In article <9101111133.AA13945@apo.esiee.fr> bonnetf@apo.esiee.fr (bonnet-franck) writes: >5 - These files are protected at install on a disked machine, why aren't they > during the /sys/node_data.xxx creation ??? > As Mr Spock could say : "This should be logical captain" . When booting a node diskless from another node, I believe netmain executes some scripts in /sys/net/netmain_???.sh. For example, netmain_bin.sh # # { Now create a `node_data/etc directory, if one does not exist, and copy /etc/templates in. # if [ ! -d $DIR/etc ] ; then mkdir $DIR/etc /usr/apollo/bin/cpacl -odf /sys/node_data/etc $DIR/etc fi or in netmain_com.sh: # # { Now create a `node_data/etc directory, if one does not exist, and copy /etc/templates in. # /com/cpt /etc/templates ^DIR/etc -md -sacl As shown, the rc.* files (as well as crontab files) are copied from the /etc/templates directory, NOT from /sys/node_data/etc. Your diskless node will get whatever acls you have in your /etc/templates. I'll bet your /etc/templates directory are wide open (I didn't know it until cops complaining). This could be somewhere in TFM as well (nope, TFM only talks about /sys/dm/startup_templates :-(). -- Jinfu Chen (602)898-5338 Motorola, Inc. SPS Mesa, AZ ...uunet!motsps!digital!chen chen@digital.sps.mot.com CMS: RXFR30 at MESAVM ----------