A thread on the LCG-rollout list needs a few of comments -
1) whatever the middleware distribution version a process to install and
maintain the OS with security patches is a local responsibility and
should be in place
2) incidents should be reported through local security contacts to
[log in to unmask]
3) discussion of incidents and vulnerabilities should be on
[log in to unmask]
4) it is evident that upgrading RH73-based systems should be a high
priority
Ian
| Ian Neilson
| Grid Deployment Group, CERN
> -----Original Message-----
> From: LHC Computer Grid - Rollout
[mailto:[log in to unmask]]
> On Behalf Of Jiri Kosina
> Sent: 11 March 2005 09:35
> To: [log in to unmask]
> Subject: Re: [LCG-ROLLOUT] No jobs at IHEP
>
> On Fri, 11 Mar 2005, Eygene A. Ryabinkin wrote:
>
> >> $ globus-job-run ce001.m45.ihep.su:2119/jobmanager-fork /bin/ls -l
> >> /usr/bin/ssh
> >> -r-s--x--x 1 root root 273832 Sep 17 2003
/usr/bin/ssh
> >> The first one doesn't need comment, I think. The second one is
quite
> >> suspicious - there is no reason for ssh client to be setuid root.
> > Actually, there is: for openssh < 3.3 ssh IS setuid to make rhosts
and
> > hostbased auth work.
>
> Unfortunately, this is not the case:
>
> $ globus-job-run ce001.m45.ihep.su:2119/jobmanager-fork /bin/rpm -qi
> openssh-clients | grep -i version
> Version : 3.6.1p2
>
> > One possible breakin path is via stock sendmail in RH 7.3 that gives
you
> > local root. At least for LCG-2.2.0 it is so, and, as I understand,
> > LCG-2.3.0 installs the same version: 8.11.6-27.73. I myself tested
it on
> > 2.2.0 -- it perfectly gives local root. So chances are quite big,
that
> for
> > 2.3.0 it is so. I don't know about 2.3.1, but I'll investigate it
today.
> > Just my 2 cents.
>
> There are many other possible attack vectors against stock LCG 2_3_x
> installation. For example the kernel at Protvino site can be owned
using
> the old sys_uslib() technique, etc.
>
> --
> Jiri Kosina
> Institute of Physics, Academy of sciences of the Czech Republic
|