HPE Community
Operating System - HP-UX
1820879 Members
4142 Online
109628 Solutions
New Discussion юеВ

security issue using mc/sg

 
SOLVED
Go to solution
Jane-Marie Smith
Occasional Advisor

тАО10-16-2001 02:36 AM

тАО10-16-2001 02:36 AM

security issue using mc/sg

Have any of you guys found a security issue using mc/sg.
We have a two node cluster on two n4000 servers with hp-ux 11.
We have identical passwd files in root on both of the servers, so when the packages switch the users can carry on working. The problem is that users of server 1 package 1, can logon on to server 2, ( and vice verser)this gives the user access to file systems they should have access to.
Example:-
login: dayc
Password:
Unable to change directory to "/web/u01/home/live"
Logging in with home = "/".
They can now cause some damage if they want.
I have now put a block on this by creating a .profile which logs then straight backout if the do login.

But the questions is. Will this affect the failover. IE will the .profile be over written by the correct .profile when the packages switch?
Any answer would be gratefull
Just another day
0 Kudos
Reply
12 REPLIES 12
Eugen Cocalea
Respected Contributor

тАО10-16-2001 02:43 AM

тАО10-16-2001 02:43 AM

Re: security issue using mc/sg

Hi,

Is the disk /web/.... mirrored on the other node?

By the way, I don't see any problem with users logging on with home '/'. They don't have write access (or they shouldn't have) on it, have they?

E.
To Live Is To Learn
0 Kudos
Reply
Jane-Marie Smith
Occasional Advisor

тАО10-16-2001 03:07 AM

тАО10-16-2001 03:07 AM

Re: security issue using mc/sg

Eugen
I'm afraid they do! I logged in as an application user and was able to go to my home dir and delete a file.

the structure of the file systems exists on both servers. you have to have the mount points for SG.
Just another day
0 Kudos
Reply
Christopher McCray_1
Honored Contributor

тАО10-16-2001 03:12 AM

тАО10-16-2001 03:12 AM

Re: security issue using mc/sg

Probably a silly question, but do you have that directory on server 2 for the users to go to upon logon. Second, is this filesystem a part of the package, or is it on one of the non-shared volumes on the servers?

Regards,
Chris
It wasn't me!!!!
0 Kudos
Reply
Eugen Cocalea
Respected Contributor

тАО10-16-2001 03:23 AM

тАО10-16-2001 03:23 AM

Re: security issue using mc/sg

Hi again,

Are you sure they don't have the same rights on the first server? I mean, if they can log on the server1 and delete a file from another users' directory?

My assumption is that even if you log on with home / you are not root.

Well, since I don't use mc/sg I rest my case :)

E.
To Live Is To Learn
0 Kudos
Reply
Christopher McCray_1
Honored Contributor

тАО10-16-2001 03:29 AM

тАО10-16-2001 03:29 AM

Re: security issue using mc/sg

I think maybe I understand your question (???)

You have a package on server 1 that users log into. Your issue is that when the package is there, people who log into server2 can't go to the directory they need to because it's onn the other server, so it puts them into /. You want to know what the implications are? One, your package has an ip address to which you should have a "virtual hostname" defined for it in either /etc/hosts or in dns. That "hostname" is the one you should give to your users so that no matter where the package is, they will always log into where the application is and not /, where they can do damage. This will not impact the failover because the filesystems are umounted off server1 and remounted on server2.

Hope this helps,
Chris
It wasn't me!!!!
0 Kudos
Reply
Jane-Marie Smith
Occasional Advisor

тАО10-16-2001 04:04 AM

тАО10-16-2001 04:04 AM

Re: security issue using mc/sg

Thanks for you suggestions Eugen.

Chris,
so what your saying is that when the package switches from server 1 to server 2 and mounts the files systems the .profile that I created will be over written by the correct .profile which is part of the mounted file system thus enabling the users to carry on working.

we user Kea which is a terminal emulator and all user have an icon for both apps on the workstation. It is when they open the wrong icon they are allowed to login even though the ip is set to the virtual address, not the hardware address.

the mount points are on both servers so they get so far, but because there was no .profile they just drop to '/'. If you use SG maybe you could try it with one of your users and see what results you get.

I have now asked our apps supplier to log a call with HP.

Thanks for the help.
Just another day
0 Kudos
Reply
Christopher McCray_1
Honored Contributor

тАО10-16-2001 05:05 AM

тАО10-16-2001 05:05 AM

Re: security issue using mc/sg

Again, I may be just a little off here, but you have identical /etc/passwds on both machines and each user has there home directory defined there. From what I can tell, the home directory you have each user accessing is at the very least /web, which is a packaged file system. That being the case, if the package is on server1 and a user logs directly into server2, they will not be able to access their home directory because its on the other server. I believe that your created .profile will be overwritten by the one in the package, but that is okay. Again I don't have any actual data from your machine, but this is what I think you are experiencing. Prevent your users from logging into the other server when the package is not there by providing them with the "virtual host" associated with the package. I hope I cleared things up for you.

Chris
It wasn't me!!!!
0 Kudos
Reply
Carsten Krege
Honored Contributor

тАО10-16-2001 05:50 AM

тАО10-16-2001 05:50 AM

Re: security issue using mc/sg

One solution is to create that home directory on both servers when the filesystem is NOT mounted. This will ensure that the directory exists when the user performs the login. You can put a .profile into the directory that logs a message that the package is currently not running on this node and performs an exit (ie. the user is logged off).

When the package is started the logical volume will be mounted and will simply cover these directories, thus replacing everything with the real environment.

When you do this, you should make sure to use one of the latest package control scripts (SG 11.12) that frees busy mountpoints (when processes/users keep the mountpoint busy, the mount command will fail, hence the package won't start).

Carsten
-------------------------------------------------------------------------------------------------
In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move. -- HhGttG
0 Kudos
Reply
Santosh Nair_1
Honored Contributor

тАО10-16-2001 07:51 AM

тАО10-16-2001 07:51 AM

Solution

Re: security issue using mc/sg

Another suggestion would be put something in /etc/profile so that if the user doesn't have a valid home directory, it kicks them off, i.e. something like:

# Check for valid home directory

if [ ! -d ${HOME} ]
then
echo "Unable to change directory to ${HOME}"
exit 1
fi

-Santosh
Life is what's happening while you're busy making other plans
Reply
Jane-Marie Smith
Occasional Advisor

тАО10-17-2001 12:10 AM

тАО10-17-2001 12:10 AM

Re: security issue using mc/sg

Santosh,

Thanks very much. It worked.
JMS
Just another day
0 Kudos
Reply
Tim D Fulford
Honored Contributor

тАО10-17-2001 07:07 AM

тАО10-17-2001 07:07 AM

Re: security issue using mc/sg

Hi

I have not read the whole thread but I had something similar in the past. So if it is a repeat of an above solution sorry.

1 users must have a home directory on the serviceguarded VG that is mounted on (for example) /home/SGusers/

2 in the SG filesystem have the regular user .profile

3 create a dummy .profile on both/all hosts in /home/SGusers/. that kicks off the users.

What happens when the user logs into the active node the mounted filesystem .profile will be used. If they log in and SG is not active the .profile under the mount point will now be visible & log them off.

Just one observation the users should really only use the floating IP, then the above would be redundant!

Cheers

Tim
-
0 Kudos
Reply
Stephen Doud
Honored Contributor

тАО10-18-2001 08:34 AM

тАО10-18-2001 08:34 AM

Re: security issue using mc/sg

ServiceGuard has a relocatable IP/package alias feature which routes login attempts to the server operating the package, precluding any need for a user attempt to login to a specific server.

Can it be implemented with the terminal emulator involved?

-Stephen
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.