topic Re: security issue using mc/sg in Operating System - HP-UX

security issue using mc/sg

Jane-Marie Smith — Tue, 16 Oct 2001 09:36:44 GMT

Have any of you guys found a security issue using mc/sg.
We have a two node cluster on two n4000 servers with hp-ux 11.
We have identical passwd files in root on both of the servers, so when the packages switch the users can carry on working. The problem is that users of server 1 package 1, can logon on to server 2, ( and vice verser)this gives the user access to file systems they should have access to.
Example:-
login: dayc
Password:
Unable to change directory to "/web/u01/home/live"
Logging in with home = "/".
They can now cause some damage if they want.
I have now put a block on this by creating a .profile which logs then straight backout if the do login.

But the questions is. Will this affect the failover. IE will the .profile be over written by the correct .profile when the packages switch?
Any answer would be gratefull

Re: security issue using mc/sg

Eugen Cocalea — Tue, 16 Oct 2001 09:43:24 GMT

Hi,

Is the disk /web/.... mirrored on the other node?

By the way, I don't see any problem with users logging on with home '/'. They don't have write access (or they shouldn't have) on it, have they?

E.

Re: security issue using mc/sg

Jane-Marie Smith — Tue, 16 Oct 2001 10:07:25 GMT

Eugen
I'm afraid they do! I logged in as an application user and was able to go to my home dir and delete a file.

the structure of the file systems exists on both servers. you have to have the mount points for SG.

Re: security issue using mc/sg

Christopher McCray_1 — Tue, 16 Oct 2001 10:12:40 GMT

Probably a silly question, but do you have that directory on server 2 for the users to go to upon logon. Second, is this filesystem a part of the package, or is it on one of the non-shared volumes on the servers?

Regards,
Chris

Re: security issue using mc/sg

Eugen Cocalea — Tue, 16 Oct 2001 10:23:18 GMT

Hi again,

Are you sure they don't have the same rights on the first server? I mean, if they can log on the server1 and delete a file from another users' directory?

My assumption is that even if you log on with home / you are not root.

Well, since I don't use mc/sg I rest my case :)

E.

Re: security issue using mc/sg

Christopher McCray_1 — Tue, 16 Oct 2001 10:29:40 GMT

I think maybe I understand your question (???)

You have a package on server 1 that users log into. Your issue is that when the package is there, people who log into server2 can't go to the directory they need to because it's onn the other server, so it puts them into /. You want to know what the implications are? One, your package has an ip address to which you should have a "virtual hostname" defined for it in either /etc/hosts or in dns. That "hostname" is the one you should give to your users so that no matter where the package is, they will always log into where the application is and not /, where they can do damage. This will not impact the failover because the filesystems are umounted off server1 and remounted on server2.

Hope this helps,
Chris

Re: security issue using mc/sg

Jane-Marie Smith — Tue, 16 Oct 2001 11:04:16 GMT

Thanks for you suggestions Eugen.

Chris,
so what your saying is that when the package switches from server 1 to server 2 and mounts the files systems the .profile that I created will be over written by the correct .profile which is part of the mounted file system thus enabling the users to carry on working.

we user Kea which is a terminal emulator and all user have an icon for both apps on the workstation. It is when they open the wrong icon they are allowed to login even though the ip is set to the virtual address, not the hardware address.

the mount points are on both servers so they get so far, but because there was no .profile they just drop to '/'. If you use SG maybe you could try it with one of your users and see what results you get.

I have now asked our apps supplier to log a call with HP.

Thanks for the help.

Re: security issue using mc/sg

Christopher McCray_1 — Tue, 16 Oct 2001 12:05:43 GMT

Again, I may be just a little off here, but you have identical /etc/passwds on both machines and each user has there home directory defined there. From what I can tell, the home directory you have each user accessing is at the very least /web, which is a packaged file system. That being the case, if the package is on server1 and a user logs directly into server2, they will not be able to access their home directory because its on the other server. I believe that your created .profile will be overwritten by the one in the package, but that is okay. Again I don't have any actual data from your machine, but this is what I think you are experiencing. Prevent your users from logging into the other server when the package is not there by providing them with the "virtual host" associated with the package. I hope I cleared things up for you.

Chris

Re: security issue using mc/sg

Carsten Krege — Tue, 16 Oct 2001 12:50:08 GMT

One solution is to create that home directory on both servers when the filesystem is NOT mounted. This will ensure that the directory exists when the user performs the login. You can put a .profile into the directory that logs a message that the package is currently not running on this node and performs an exit (ie. the user is logged off).

When the package is started the logical volume will be mounted and will simply cover these directories, thus replacing everything with the real environment.

When you do this, you should make sure to use one of the latest package control scripts (SG 11.12) that frees busy mountpoints (when processes/users keep the mountpoint busy, the mount command will fail, hence the package won't start).

Carsten

Re: security issue using mc/sg

Santosh Nair_1 — Tue, 16 Oct 2001 14:51:36 GMT

Another suggestion would be put something in /etc/profile so that if the user doesn't have a valid home directory, it kicks them off, i.e. something like:

# Check for valid home directory

if [ ! -d ${HOME} ]
then
echo "Unable to change directory to ${HOME}"
exit 1
fi

-Santosh

Re: security issue using mc/sg

Jane-Marie Smith — Wed, 17 Oct 2001 07:10:48 GMT

Santosh,

Thanks very much. It worked.
JMS

Re: security issue using mc/sg

Tim D Fulford — Wed, 17 Oct 2001 14:07:32 GMT

Hi

I have not read the whole thread but I had something similar in the past. So if it is a repeat of an above solution sorry.

1 users must have a home directory on the serviceguarded VG that is mounted on (for example) /home/SGusers/

2 in the SG filesystem have the regular user .profile

3 create a dummy .profile on both/all hosts in /home/SGusers/. that kicks off the users.

What happens when the user logs into the active node the mounted filesystem .profile will be used. If they log in and SG is not active the .profile under the mount point will now be visible & log them off.

Just one observation the users should really only use the floating IP, then the above would be redundant!

Cheers

Tim

Re: security issue using mc/sg

Stephen Doud — Thu, 18 Oct 2001 15:34:36 GMT

ServiceGuard has a relocatable IP/package alias feature which routes login attempts to the server operating the package, precluding any need for a user attempt to login to a specific server.

Can it be implemented with the terminal emulator involved?

-Stephen