[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security issues
|
From: |
David J. Bianco |
|
Subject: |
Re: Security issues |
|
Date: |
02 Jul 2002 11:33:51 -0400 |
On Tue, 2002-07-02 at 11:17, Jacob Lee wrote:
> I'm beginning a rollout of cfengine in a small (13 machines so far) but
> bourgeuning Linux installation inside of a larger Windows network. I
> recently noticed a security issue where I'm worried that cfengine will
> decrease the security of the installed base.
>
What you say is true. If you can modify the cfengine config files,
you can make the cfagent do whatever you like, so it's important to
make these files reasonably secure from tampering. But your problem
is much more basic. Your users know the root password for every machine
on your network.
If your root password is that well known, why would they want to use
cfengine to do their dirty work for them? Couldn't they just log
in directly and do whatever they like? Maybe I'm missing your point,
but this doesn't sound like a cfengine problem to me. Don't worry so
much about locking the back door until you install a front door. 8-)
Maybe you could investigate a tool like sudo, which can allow you to
delegate some permissions to other users without giving them full
root capabilities. Or if you have Linux 2.4 kernels, you might be
able to do the same with capabilities. Also, lest I not fully answer
the question you asked, you could use something like LIDS to modify the
Linux kernel such that not even root can modify files without the proper
clearance. Find it at www.lids.org, but I don't really think it'll
solve your underlying problem.
David
--
David J. Bianco, GSEC <bianco@jlab.org>
Thomas Jefferson National Accelerator Facility
The views expressed herein are soley those of the author and
not those of SURA/Jefferson Lab or the US DOE.
- Security issues, Jacob Lee, 2002/07/02
- Re: Security issues,
David J. Bianco <=