rees@pisa.ifs.umich.edu (Jim Rees) (01/11/91)
In article <9101101046.AA06527@apo.esiee.fr>, bonnetf@apo.esiee.fr (bonnet-franck) writes:
4 - The bad thing is that these files are NOT protected after their creation ...
Everybody has "pwrx" rights on these files, ouch !
This doesn't happen on my sr10.3 node. The rc files are copied from
/etc/templates using cpio and have the same rights as the templates. Maybe
it depends on whether you are using netman.bin_sh or netman.com_sh.
A more serious problem is that `node_data is often completely open, allowing
you to rename `node_data/etc and create your own. /etc/init should refuse
to run /etc/rc if it isn't owned by root.
bonnetf@apo.esiee.fr (bonnet-franck) (01/11/91)
Hi, We've found a security problem ( one more ! ) The problem is the following : 1 - When you boot a diskless machine on a disked partner the /sys/node_data.xxx directory is created . 2 - Another directory is created : /sys/node_data.xxx/etc . 3 - The following files are newly created in that directory rc rc.local rc.user 4 - The bad thing is that these files are NOT protected after their creation ... Everybody has "pwrx" rights on these files, ouch ! As it is well known, when the machine bootup the rc and rc.local files are executed with ROOT privileges !!! That means that anybody can : - Edit this file. - Write inside some dirty things. - Reboot the machine. - The dirty things are EXECUTED WITH ROOT PRIVILEGES at bootup ... !!! 5 - These files are protected at install on a disked machine, why aren't they during the /sys/node_data.xxx creation ??? As Mr Spock could say : "This should be logical captain" . Bye, -------------------------------------------------------------------------------| bonnetf@apo.esiee.fr | | Frank Bonnet | Surfing ... | E.S.I.E.E | | BP99 93162 Noisy le Grand cedex.FRANCE. | the rest is details ! | Fax : 33 1 45 92 66 99 | | -------------------------------------------------------------------------------|
chen@digital.sps.mot.com (Jinfu Chen) (01/12/91)
In article <9101111133.AA13945@apo.esiee.fr> bonnetf@apo.esiee.fr (bonnet-franck) writes: >5 - These files are protected at install on a disked machine, why aren't they > during the /sys/node_data.xxx creation ??? > As Mr Spock could say : "This should be logical captain" . When booting a node diskless from another node, I believe netmain executes some scripts in /sys/net/netmain_???.sh. For example, netmain_bin.sh # # { Now create a `node_data/etc directory, if one does not exist, and copy /etc/templates in. # if [ ! -d $DIR/etc ] ; then mkdir $DIR/etc /usr/apollo/bin/cpacl -odf /sys/node_data/etc $DIR/etc fi or in netmain_com.sh: # # { Now create a `node_data/etc directory, if one does not exist, and copy /etc/templates in. # /com/cpt /etc/templates ^DIR/etc -md -sacl As shown, the rc.* files (as well as crontab files) are copied from the /etc/templates directory, NOT from /sys/node_data/etc. Your diskless node will get whatever acls you have in your /etc/templates. I'll bet your /etc/templates directory are wide open (I didn't know it until cops complaining). This could be somewhere in TFM as well (nope, TFM only talks about /sys/dm/startup_templates :-(). -- Jinfu Chen (602)898-5338 Motorola, Inc. SPS Mesa, AZ ...uunet!motsps!digital!chen chen@digital.sps.mot.com CMS: RXFR30 at MESAVM ----------