Bug 102466

Summary: netdump server overly trusts client root
Product: Red Hat Enterprise Linux 2.1 Reporter: Steve Bonneville <sbonnevi>
Component: netdumpAssignee: Thomas Graf <tgraf>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1CC: rkhan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-13 20:35:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Bonneville 2003-08-15 15:57:28 UTC 
Description of problem:

I'm not sure if this bug should be severity security or enhancement.

In normal operation, the netdump client copies its session cookie to the server
using ssh on startup.  The /var/crash/.ssh/authorized_keys2 file doesn't limit
the commands the client can run on the server over ssh.  Therefore, root on a
compromised but trusted netdump client can run *any* command on the server as
user netdump without a password.

Version-Release number of selected component (if applicable): 

netdump-0.6.6-1

How to reproduce:  

1. Set up a netdump server (10.0.0.1 below) and a client that crash dumps to it.
2. Run the following command on the client as root:

   ssh -i /etc/sysconfig/netdump_id_dsa netdump.0.1 cat /etc/passwd

3. The server's /etc/password file is displayed to stdout.

Suggested fix:

Restrict the /var/crash/.ssh/authorized_keys2 file to only allow the cookie
distribution command by starting each key entry with a command option:

  command="echo "$MAGIC2$MAGIC1" \> /var/crash/magic/$LOCALADDR"
Comment 1 Dave Anderson 2003-08-15 16:13:34 UTC 


Steve -- thanks for the report.  

I guess I've never seen an authorized_keys entry with a command restriction.
Can you suggest how would that be properly scripted in the netdump init script?

Here's what it does now:

propagate ()
{
    # propagate netdump ssh public key to the crashdump server
    cat /etc/sysconfig/netdump_id_dsa.pub | \
        ssh -x netdump@$NETDUMPADDR cat '>>' /var/crash/.ssh/authorized_keys2
}
Comment 2 Dave Anderson 2003-08-15 16:17:02 UTC 
Damn -- the MAGIC numbers are only calculated at each boot time
registration; the "propagate" command is a one-time only operation.
Comment 3 Thomas Graf 2006-02-28 13:48:02 UTC 
Even though we can't encode the MAGIC numbers into the conditional
we can submit that information via standard input. I suggest we
format the authorized entry like this:

command="cat /var/crash/magic/$LOCALADDR",no-port-forwarding $KEY

... and do:

echo "$MAGIC2$MAGIC1" | ssh -x -i /etc/... netdump@NETDUMPADDR

Thoughts?