Bug 102466 - netdump server overly trusts client root
Summary: netdump server overly trusts client root
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: netdump
Version: 2.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Graf
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-08-15 15:57 UTC by Steve Bonneville
Modified: 2014-06-18 08:28 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-13 20:35:11 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Steve Bonneville 2003-08-15 15:57:28 UTC
Description of problem:

I'm not sure if this bug should be severity security or enhancement.

In normal operation, the netdump client copies its session cookie to the server
using ssh on startup.  The /var/crash/.ssh/authorized_keys2 file doesn't limit
the commands the client can run on the server over ssh.  Therefore, root on a
compromised but trusted netdump client can run *any* command on the server as
user netdump without a password.

Version-Release number of selected component (if applicable): 

netdump-0.6.6-1

How to reproduce:  

1. Set up a netdump server (10.0.0.1 below) and a client that crash dumps to it.
2. Run the following command on the client as root:

   ssh -i /etc/sysconfig/netdump_id_dsa netdump.0.1 cat /etc/passwd

3. The server's /etc/password file is displayed to stdout.

Suggested fix:

Restrict the /var/crash/.ssh/authorized_keys2 file to only allow the cookie
distribution command by starting each key entry with a command option:

  command="echo "$MAGIC2$MAGIC1" \> /var/crash/magic/$LOCALADDR"

Comment 1 Dave Anderson 2003-08-15 16:13:34 UTC


Steve -- thanks for the report.  

I guess I've never seen an authorized_keys entry with a command restriction.
Can you suggest how would that be properly scripted in the netdump init script?

Here's what it does now:

propagate ()
{
    # propagate netdump ssh public key to the crashdump server
    cat /etc/sysconfig/netdump_id_dsa.pub | \
        ssh -x netdump@$NETDUMPADDR cat '>>' /var/crash/.ssh/authorized_keys2
}

Comment 2 Dave Anderson 2003-08-15 16:17:02 UTC
Damn -- the MAGIC numbers are only calculated at each boot time
registration; the "propagate" command is a one-time only operation.

Comment 3 Thomas Graf 2006-02-28 13:48:02 UTC
Even though we can't encode the MAGIC numbers into the conditional
we can submit that information via standard input. I suggest we
format the authorized entry like this:

command="cat /var/crash/magic/$LOCALADDR",no-port-forwarding $KEY

... and do:

echo "$MAGIC2$MAGIC1" | ssh -x -i /etc/... netdump@NETDUMPADDR

Thoughts?


Note You need to log in before you can comment on or make changes to this bug.