Re: {bb} No messages required... and security

To: bb@bb4.com
Subject: Re: {bb} No messages required... and security
From: Richard Beals <rgb@gatekeeper.cb.att.com>
Date: Tue, 01 Feb 2000 10:45:34 -0500
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Organization: AT&T PWSS - Columbus
References: <200002011526.KAA04356@www.maclawran.ca>
Reply-To: bb@bb4.com
Sender: owner-bb@bb4.com

One possible workaround to this issue:

Replace the standard message check with a setuid command that _only_
checks the messages. It might not be pretty, and you'd need to carry the
modifications forward every time you upgrade, but it will work.

Of course, to play by the rules, you'll need to run that by the 2nd
party auditors... 

Sean MacGuire wrote:
> 
> > Due to 2nd party security  audit requirements, all our boxes' messages
> > files must now only be readable by root.
> >
> > Currently, a user "bigbro" is the user that "runs"  bigbrother daemons
> > and scripts on all our boxes, and this means of course that it reports
> > the messages file as unreadable and I get a nice red blob!
> >
> > The options would seem to be to either run bigbrother as root, or to
> > teak bigbroither's code and scripts (including maybe the html
> > processor?) to "drop" the mesages checking.
> >
> > Firstly then, what's the security implications of running bigbro as
> > root?
> 
> If you're going to run big brother as root, then I'd reinstall the
> whole thing *as root*.  Let me explain... since BB is mostly happy
> little shell scripts, and if you've installed them as a non-root
> user, then that userID might still be able to write into the scripts
> which are now being run as root.  Get the drift?
> 
> If you've gone to the efforts of tightening up access to the messages
> file, it would be kind of silly to increase risk by running BB as
> root.
> 
> Remember, that BB is your friend.  It's good to have something watching
> the messages file...
> 
> A plausible solution would be to create a bigbrother group, and allow
> the BB group read access to the messages file (or put BB in whatever
> group the messages file is in).  (That's what groups are for).
> 
> > Secondly, what would I have to do to disable message checking?
> 
> Comment out the test in bb-local.sh.  Not a good solution.
> Keeping an eye on the messages file is important (otherwise I wouldn't
> have put the test in there).  Wierd, bad, things show up there first.
> You need to know about them, fast.  BB is a constant pest about
> messages; a pain in the ass; 'cause otherwise I'd forget to do it.
> 
> > Or is there another, simpler solution?  (ie force permanent green
> > status?  ignore ?)
> 
> The second-party demand of "root access only to messages" is a
> suggestion.  Have a chat with whomever is running the tool or doing
> the audit and show them BB.  Ask them about the risks of having BB
> able to read the messages file versus the risks of the file being
> "secure", but never read.  Ask them for a solution.
> 
> (Hint - the answer is the group thing).
> 
> > Seperately from the above, I'll soon be having discussions with LAN/WAN
> > about firewall access to "other" boxes on "the other side".  How does BB
> > actually check for smtp and ftp etc...  does the C code just open a tcp
> > port on the required port number?
> 
> Yup.  That's what bbnet does.
> 
> > And what are the security implications (if any) of such a thing,
> 
> Um, depends on your policy, really.  Nothing prevents you from
> checking the other boxes on the other side from the other side
> with their own instance of BB, for example...
> 
> > and also of using port 1984 coming back the other way?
> 
> 1984 doesn't come back the other way in those cases.  The BBNET machine
> does all those tests (from the inside) and sends the results to
> BBDISPLAY and BBPAGEER machines who are listening on port 1984 (wherever
> they are) for these messages.
> 
> > In essence you'll realise I'm looking for
> > justifications for these as otherwise all that is allowed through
> > firewalls here are ftp, telnetand http (port 80).
> 
> Depends where BBDISPLAY and BBPAGER are; that may be all you need.
> --
> Sean MacGuire, Reality Engineering              the BB Ministry of Truth
> sean@bb4.com                                    http://www.bb4.com
> +1 514 996 INET
> 
>                 "Looking down the barrel of another day"
> --
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
> To unsubscribe from this list, or to subscribe to the bb-digest list
> send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
> subscribe bb-digest in the BODY of the message.

-- 
Richard Beals
AT&T PWSS -- Columbus, OH
614-501-2732
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, or to subscribe to the bb-digest list
send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
subscribe bb-digest in the BODY of the message.

References:
- Re: {bb} No messages required... and security
  - From: Sean MacGuire <sean@www.maclawran.ca>

Prev by Date: Re: {bb} No messages required... and security
Next by Date: Re: {bb} No messages required... and security
Prev by thread: Re: {bb} No messages required... and security
Next by thread: Re: {bb} No messages required... and security
Index(es):
- Date
- Thread

Home | Main Index | Thread Index