Bug 102466 - netdump server overly trusts client root
netdump server overly trusts client root
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: netdump (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Graf
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-15 11:57 EDT by Steve Bonneville
Modified: 2014-06-18 04:28 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-13 16:35:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Bonneville 2003-08-15 11:57:28 EDT
Description of problem:

I'm not sure if this bug should be severity security or enhancement.

In normal operation, the netdump client copies its session cookie to the server
using ssh on startup.  The /var/crash/.ssh/authorized_keys2 file doesn't limit
the commands the client can run on the server over ssh.  Therefore, root on a
compromised but trusted netdump client can run *any* command on the server as
user netdump without a password.

Version-Release number of selected component (if applicable): 

netdump-0.6.6-1

How to reproduce:  

1. Set up a netdump server (10.0.0.1 below) and a client that crash dumps to it.
2. Run the following command on the client as root:

   ssh -i /etc/sysconfig/netdump_id_dsa netdump@10.0.0.1 cat /etc/passwd

3. The server's /etc/password file is displayed to stdout.

Suggested fix:

Restrict the /var/crash/.ssh/authorized_keys2 file to only allow the cookie
distribution command by starting each key entry with a command option:

  command="echo "$MAGIC2$MAGIC1" \> /var/crash/magic/$LOCALADDR"
Comment 1 Dave Anderson 2003-08-15 12:13:34 EDT


Steve -- thanks for the report.  

I guess I've never seen an authorized_keys entry with a command restriction.
Can you suggest how would that be properly scripted in the netdump init script?

Here's what it does now:

propagate ()
{
    # propagate netdump ssh public key to the crashdump server
    cat /etc/sysconfig/netdump_id_dsa.pub | \
        ssh -x netdump@$NETDUMPADDR cat '>>' /var/crash/.ssh/authorized_keys2
}
Comment 2 Dave Anderson 2003-08-15 12:17:02 EDT
Damn -- the MAGIC numbers are only calculated at each boot time
registration; the "propagate" command is a one-time only operation.
Comment 3 Thomas Graf 2006-02-28 08:48:02 EST
Even though we can't encode the MAGIC numbers into the conditional
we can submit that information via standard input. I suggest we
format the authorized entry like this:

command="cat /var/crash/magic/$LOCALADDR",no-port-forwarding $KEY

... and do:

echo "$MAGIC2$MAGIC1" | ssh -x -i /etc/... netdump@NETDUMPADDR

Thoughts?

Note You need to log in before you can comment on or make changes to this bug.