Operating System - HP-UX
1748054 Members
4584 Online
108758 Solutions
New Discussion юеВ

Re: swlist @ remotehost returns list of sw!

 
SOLVED
Go to solution
Bill McNAMARA_1
Honored Contributor

swlist @ remotehost returns list of sw!

if I run
swlist @ remotehost
from localhost,
I can see all software installed on remotehost.

In my books this is a security flaw especially when one of my hosts is built for security!

How do I stop it?

pereal:root> swlist @ labatt
# Initializing...
# Contacting target "labatt"...
#
# Target: labatt:/
#

#
# Bundle(s):
#

B2491BA B.11.00 MirrorDisk/UX
B3693AA C.02.40.000 HP GlancePlus/UX for s800 11.0
B3884FA_AGL B.11.00 HP-UX 8-User License
B5736BA A.03.20 HA Monitors
B_SSH 1.2.27 Secure Shell
HPOC-1100-CORE B.11.00.20000914 HPUX Patch Bundle for HPOC Products
HPUXEng64RT B.11.00.01 English HP-UX 64-bit Runtime Environment
J4254AA B.11.00.01 PCI 4 PORT 100BASE-T/9000
OnlineDiag B.11.00.13.16 HPUX 11.0 Support Tools Bundle
XSWGR1100 B.11.00.50.5 HP-UX General Release Patches, September 2000
#
# Product(s) not contained in a Bundle:
#

Medusa 5.3.a Security/Audit Monitoring Toolset
MedusaLocalConf Local configurations and filters for Medusa slaves.
OMNIBACK-II A.03.10 HP OpenView OmniBack II
OSD-SEC A.02.11f HP OSD Security Tools
PWplus 3.1.a Password Security Toolset
SecurityTools 1.0 Security tools
It works for me (tm)
9 REPLIES 9
Marcin Wicinski
Trusted Contributor

Re: swlist @ remotehost returns list of sw!

Hi Bill,
I dont exactlly remember, but swacl command should be usefull.
Marcin Wicinski
Bill McNAMARA_1
Honored Contributor

Re: swlist @ remotehost returns list of sw!

pereal:root> swacl -l host @ labatt
#
# swacl Host Access Control List
#
# For host: labatt
#
# Date: Fri Nov 16 12:37:35 2001
#

# Object Ownership: User= root
# Group=sys
# Realm=labatt.grenoble.hp.com
#
# default_realm=labatt.guinness.com
user:in:crwit
user:mvesian:crwit
user:ocmc:crwit
user:ocmp:crwit
user:pack:crwit
user:ss7:crwit
group:swadm:crwit
any_other:-r--t

I guess I should modify the any_other somehow so that read is not allowed..

Later,
Bill
It works for me (tm)
Marcin Wicinski
Trusted Contributor

Re: swlist @ remotehost returns list of sw!

I think we can try to edit /var/adm/sw/_ACL file witch contains security list. Put "-" instead of "r" in any_other line.
Marcin Wicinski
David Lodge
Trusted Contributor
Solution

Re: swlist @ remotehost returns list of sw!

The way I do it is IIRC:

swacl -l root -M any_other:-----

This will remove all access for any user except for root on the machine (including other servers)

dave
Bill McNAMARA_1
Honored Contributor

Re: swlist @ remotehost returns list of sw!

after running the command.. it works (localhost cant list remotehost)

but swacl -l host still shows the older permissions?

pereal:root> swacl -l host
#
# swacl Host Access Control List
#
# For host: pereal
#
# Date: Fri Nov 16 13:01:36 2001
#

# Object Ownership: User= root
# Group=sys
# Realm=pereal.guinness.com
#
# default_realm=pereal.guinness.com
group:swadm:crwit
any_other:-r--t
It works for me (tm)
Marcin Wicinski
Trusted Contributor

Re: swlist @ remotehost returns list of sw!

 
Marcin Wicinski
Marcin Wicinski
Trusted Contributor

Re: swlist @ remotehost returns list of sw!

Log out and log back in or restart swagentd: # swagentd -r
Marcin Wicinski
David Lodge
Trusted Contributor

Re: swlist @ remotehost returns list of sw!

This is the difference 'twixt a root and a host - a host defines the whole host (ie server/partition) that you are querying - A root defines the root directory *on that host*.

If one restricts the acl on a root to only readable by the root user then nobody but the root user can examine the software installed on that root. (Note: SD allows more than one root - eg for development/UAT environments you can have several roots such as:
/test/UAT1
/test/UAT2
etc. The 'normal' root is '/')

For a host it will affect access to see what roots/depots exists on that host...

To see:
sudo swacl -l host -M any_other:-----
swlist
[list of software]
sudo swacl -l host -M any_other:rt
sudo swacl -l root -M any_other:-----
swlist
[Error no access rights]

I hope that's cleared up a bit (I'm still confused :-)

To try and describe it in a different way - the ACLs describe access rights to look at the contents on the level you're looking at, so root describes the product/files etc installed on that root. host describes the objects available on that host...

dave
Wodisch
Honored Contributor

Re: swlist @ remotehost returns list of sw!

Hello Bill,

we are talking about DCE-ACLs, here...
And in order to prevent somebody from doing harm to your system the "sw..." way, you will have to restict the following "levels":
- host: for communication with the "swagentd"
- root: for using the IPD (Installed Product Database)
- depot: for using depots (all you have there)

Just to show the power of those permissions: give a "plain" user (say: johndoe) the proper permission, and s/he can install or remove software on your station:
On "target" as user "root":
swacl -l root -M user:johndoe:crwit @ /
and then try as user "johndoe":

/usr/sbin/swinstall -s /tmp/PHKL_XXXXX -x auto_reboot=true '*'

The patch will be installed, the system will reboot, and all done by a "plain" user!

So you will have to restrict read/write/control/insert/test permissions for anybody except your admin group from
-l root @ /
-l host @ $(hostname)
-l depot @ $DEPOT # for ALL local depots

Just my ???0.02,
Wodisc