help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cfservd access through firewall - dangerous ?

From: Adrian Phillips
Subject: Re: Cfservd access through firewall - dangerous ?
Date: 29 Apr 2002 12:30:38 +0200
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 
>>>>> "Mark" == Mark Burgess <Mark.Burgess@iu.hio.no> writes:

Thanks for the quick response Mark.

    Mark> On 29 Apr, Adrian Phillips wrote:
    >> - a DoS against cfservd seems to be relativly difficult to
    >> accomplish as it does so much checking

    Mark> A lot of thought went into this!

I'd gathered that :-)

    >>  - is it theoretically possible to "modify" cfservd such that
    >> it overwrites configuration files such that somebody could
    >> damage all the servers under cfengines administration ?
    >> 

    Mark> I assume you mean by a malicious party: of course, friendly
    Mark> fire is always the biggest problem. An admin can always
    Mark> program cfengine to do harm! But otherwise...

Yes, sorry, I meant somebody cracking the cfservd through the tunnel.

    Mark> No, not unless there were a buffer overflow. I have also
    Mark> worked very hard to make this impossible through design.
    Mark> Time will show...but so far cfengine's track record is
    Mark> rather better than any other popular software I can think
    Mark> of...:)

Yes, I'd tried to search on the internet if cfengine ever had any
problems in older versions but couldn't find any.

    >> - even worse, would it be possible to get a shell prompt on the
    >> cfservd server ?

    Mark> Again, only by buffer overflow or admin stupidity.

    Mark> THe main weakness is in getting access to the master
    Mark> cfengine files.  If you could, for instance, use ftp to
    Mark> break into the master machine and change the cfengine
    Mark> config, then you have the perfect way to do whatever you
    Mark> like with the system.

One reason I intend not to have ftp on this machine.

    >> I suppose one solution to this concern is to mirror the
    >> cfengine setup to an external cfengine server.
    >> 

    Mark> Protect the source!!

Of course. In addition to mirroring to another machine I'm going to
use iptables, chroot and user-mode-linux to make it very difficult to
break in and out.

    Mark> I would very much like to see someone write an article for
    Mark> ;login: or something on the topic of using cfengine
    Mark> with/through a firewall.

    Mark> Go for it!

I must admit I hadn't a clue what you meant by this until I goggled
for ;login:. I don't know whether my writing skills are quite up to an
article but I'd write something that could be added to the Tutorial,
although it will be some weeks before I've setup this.

Sincerely,

Adrian Phillips

-- 
Your mouse has moved.
Windows NT must be restarted for the change to take effect.
Reboot now?  [OK]
reply via email to
[Prev in Thread] Current Thread [Next in Thread]