help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cfservd access through firewall - dangerous ?


From: Mark . Burgess
Subject: Re: Cfservd access through firewall - dangerous ?
Date: Mon, 29 Apr 2002 12:18:45 +0200 (MET DST)

On 29 Apr, Adrian Phillips wrote:
> 
> I'd been thinking about how machines external to our firewall could
> have access to cfservd, and basically had resigned myself to skipping
> copy and using scp or rsync to copy files to them.
> 
> Somebody posted that they open a hole/tunnel in the firewall to the
> cfservd which I thought could be a reasonably idea. I had some
> questions from my director though which aren't covered in the
> "Security and cfengine" section in the tutorial perhaps because they
> are more general software issues :-
> 
> - a DoS against cfservd seems to be relativly difficult to accomplish
>   as it does so much checking

A lot of thought went into this!

> 
> - is it theoretically possible to "modify" cfservd such that it
>   overwrites configuration files such that somebody could damage all
>   the servers under cfengines administration ?
> 

I assume you mean by a malicious party: of course, friendly
fire is always the biggest problem. An admin can always
program cfengine to do harm! But otherwise...

No, not unless there were a buffer overflow. I have also
worked very hard to make this impossible through design.
Time will show...but so far cfengine's track record is
rather better than any other popular software I can
think of...:)


> - even worse, would it be possible to get a shell prompt on the
>   cfservd server ?

Again, only by buffer overflow or admin stupidity.

> 
> I must admit that I don't think the above is very likely as I feel
> Mark has done such a good job writing a secure piece of software. I
> suppose it comes down to how much you trust your software. We use exim
> to receive email and it has a rather good security record, so I trust
> it. The concern with cfservd is of course that somebody cracking this
> will then have the ability to take over all machines that cfengine
> administers.

THe main weakness is in getting access to the master cfengine files.
If you could, for instance, use ftp to break into the master
machine and change the cfengine config, then you have the perfect
way to do whatever you like with the system.

> I suppose one solution to this concern is to mirror the cfengine setup
> to an external cfengine server.
> 

Protect the source!!

> Any comments would be much appreciated,
> 
> Sincerely,
> 
> Adrian Phillips
> 

I would very much like to see someone write an article for ;login:
or something on the topic of using cfengine with/through a firewall.

Go for it!

Mark

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





reply via email to

[Prev in Thread] Current Thread [Next in Thread]