bonnetf@apo.esiee.fr (bonnet-franck) (10/30/90)
Hi, I would like to inform Internet APOLLO users that it should be VERY important to set only ONE owner of the registries using /etc/edrgy ... At the beginning we had set "root.%.%" as the owner of all our registries, and it was a security mistake . Now we have set "root.staff.none" as the owner of ALL the accounts, in this configuration ONLY "root.staff.none" is allowed to modify registries . In the past anybody was able to add, for example, a "root.server.none" entry in the registries and then this user could be logged as ROOT on the system ( bad )... In order to protect better the system we have protected the /etc/edrgy command like the following : $ lsacl /etc/edrgy root.staff.none prwx- %.staff.% [Ignore] %.%.none [Ignore] %.%.% ----k Of course you have NOT to forget the root.staff.none password ... But here we run in a very agressive environement. I hope this could help. -------------------------------------------------------------------------------| bonnetf@apo.esiee.fr | | Frank Bonnet | Surfing ... | E.S.I.E.E | | BP99 93162 Noisy le Grand cedex.FRANCE. | the rest is details ! | Fax : 33 1 45 92 66 99 | | -------------------------------------------------------------------------------|
pato@apollo.HP.COM (Joe Pato) (11/01/90)
In article <9010291025.AA01144@apo.esiee.fr>, bonnetf@apo.esiee.fr (bonnet-franck) writes: |> Hi, |> |> I would like to inform Internet APOLLO users that |> it should be VERY important to set only ONE owner of the |> registries using /etc/edrgy ... |> We agree that if you are interested in security you must set owners on the registry and the internal registry objects (the name domains, and each person group or org). You do not, however, need to set these owners to a single individual. |> At the beginning we had set "root.%.%" as the owner |> of all our registries, and it was a security mistake |> |> Now we have set "root.staff.none" as the owner of ALL |> the accounts, in this configuration ONLY "root.staff.none" |> is allowed to modify registries . |> |> In the past anybody was able to add, for example, a |> "root.server.none" entry in the registries and then |> this user could be logged as ROOT on the system ( bad )... |> Your problem must have been that you neglected to set the owner field on the "root" person. (By default the rgy_create tool creates all entries owned by %.%.%.) New objects created by edrgy inherit the ownership information that is attached to the particular naming domain. Given that the root person was owned by %.%.%, then you are right - anyone can create new root.... accounts. Once you set the owner on the root person, however, only that owner will be able to create new "root" accounts. You should read the discussion on owners in the manual and in the reprint of the 1988 Usenix paper included in the "Principles of Domain/OS" manual. |> In order to protect better the system we have protected |> the /etc/edrgy command like the following : |> |> $ lsacl /etc/edrgy |> root.staff.none prwx- |> %.staff.% [Ignore] |> %.%.none [Ignore] |> %.%.% ----k |> There is no need to change the acl on the edrgy program. The program has no special privileges to manipulate the registry - it simply makes the appropriate calls on the rgy_$ library which turn into remote procedure calls to the registry server. All access control checking with respect to operations on the contents of the registry is performed by the registry server. The identity of the caller is established via a cryptographic authentication protocol - so the invoker of the tool has to have logged in and provided a password to successfully manipulate the registry. The problems you have seen are simply that the access control information associated with the registry objects (the owner fields) has been left wide open (%.%.%). |> Of course you have NOT to forget the root.staff.none |> password ... But here we run in a very agressive environement. |> |> I hope this could help. |> |> ------------------------------------------------------------------------ --------| |> bonnetf@apo.esiee.fr | | |> Frank Bonnet | Surfing ... | |> E.S.I.E.E | | |> BP99 93162 Noisy le Grand cedex.FRANCE. | the rest is details ! | |> Fax : 33 1 45 92 66 99 | | |> ------------------------------------------------------------------------ --------| |> -- Joe Pato Cooperative Object Computing Operation Hewlett-Packard Company pato@apollo.hp.com
rn@ap.co.umist.ac.uk (bob nutter) (11/01/90)
In article <4dbb5bb7.20b6d@apollo.HP.COM>, pato@apollo.HP.COM (Joe Pato) writes: [Frank Bonnet's stuff deleted...] |> |> Your problem must have been that you neglected to set the owner field on |> the "root" person. (By default the rgy_create tool creates all entries |> owned by %.%.%.) New objects created by edrgy inherit the ownership |> information |> that is attached to the particular naming domain. |> |> Given that the root person was owned by %.%.%, then you are right - anyone can |> create new root.... accounts. Once you set the owner on the root person, |> however, only that owner will be able to create new "root" accounts. Yup, only found out about this last week when a friend in our Elec Eng dept was writing a script. Seeing as everyone knows about it now, I would *strongly* recommend you make sure you change the root ownership. Anyone, I repeat *anyone* can type 'passwd root' and change the root passwd with it otherwise. passwd makes no check that the user id is 0, but relies on the registry for security checks. Apollo UK are reported to have had to fix this on *their* machines! I leave you to draw your own conclusions about this... ------------------------------------------------------------------------------- bob nutter, computer officer | "Every year we destroy an area of rain UMIST dept of computation | forest the size of Belgium. Why not just po box 88 manchester m60 1qd uk | destroy Belgium?" tel:+44 61 200 3386 | -Canned Carrott email:b.nutter@umist.ac.uk |