[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Securing Admin Pages

Subject: Re: [cobalt-security] Securing Admin Pages
From: "Fragga" <fragga@xxxxxxxxxxxx>
Date: Thu, 21 Feb 2002 04:24:58 -0600
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Duncan,

i agree. it sucks. i`ve asked this question before
on the list but it went abit off topic however a few people did
contribute some good information. The problem being is
that there are some parts of the admin control panel which have
to run under root privileges. It has to be able to add DNS entries,
add users in /etc/passwd, etc etc. all that stuff which cannot be done
in a shell using the "Admin" account.

The general view is that the cobalts were designed for non-nix
people to be able to be able to administor their box without
having to do anything from a shell. I`ve spoken to the people
who i rent our box from and they reckon this issue has been
reported before but there have never been any confirmed
break-ins via this route. Obviously just because they claim
none have been confirmed does not mean it doesnt exist.

If you are comfortable setting up accounts and administering
the box from a secure shell then i`d advise doing that although
again this destroys the point of the RAQ`s ease of use for the
non-nixers. concerning this the following quote is from Michael
Stauber on this list who replied before when i bought this issue up :::

<snip>
"Running the GUI as root is a must with the given architecture as
anything else is asking for a complete redesign of the administration
interface. Sure, you could disable the GUI, but then all you've got is an
(hardware wise) redicularly outdated server which still has tons of design
flaws (software wise) and no easy ways of administrations for the
point-and-click community, which the machine was designed for.

The only thumbs up I can give in that regards is the following: Even though
the Admin GUI runs as user "root" I haven't heard that it has been
sucessfully exploited in any way - so far. Which is a tribute to the
Perl-programmers behind the GUI - no doubt. The Apache GUI has been running
as root since ... 1997 with the introduction of the RaQs - if I'm not
mistaken.

There are other issues with the Cobalts which most/many/nobody (your mileage
might vary) could find more worrying. For instance that any FTP user can
wander outside his own directories and sniff around on almost the entire
machine. So there are no chrooted and sandboxed home directories and/or
services. Heck, even Bind-8 was running as user root for years, until a long
overdue official patch fixed it. Furthermore the permissions of certain
files
and folders look like they've been designed in Redmond <shudder>. "
</snip>

so as you can see there are other flaws with the raqs. also do your logs
point
to the break-in originating from Apache ? anyway in answer to your questions

A. Nope ( well yeah maybe but with some serious nightmares )
B. you coudl try running the panel through SSL but then you have problems
with certificates not matching to the domain names.

anyway hope this info helps you. also if u have any decent logs which points
the finger at apache or any other service would you mind sharing them ?

g`luck.

fragga

----- Original Message -----
From: "duncan gray" <duncanrobertgray@xxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Thursday, February 21, 2002 3:05 AM
Subject: [cobalt-security] Securing Admin Pages


> Hi,
> Ive recently just had one of my websites hacked on my
> server I have know Idea how as I thought my server was
> pretty secure, As I've kept up to date with all the
> latest patches, switched my tellnet over to SSH, and
> so forth, my bigest guess is that you have to pass the
> root password to the machine while logging in over the
> Web admin pages, this scare me some what.  But raises
> some questions in my mind.
>
> A. is there a way to make the main admin pages work
> off a different user account, If not why not as it
> seems like a huge security hole to me.
>
> B. Secondly I dont know much about certificates, but
> Is it possible to issue a client certificate or some
> sort of certificate so you can limit only certain
> browsers/users to access that site? and making sure
> that the link between the server and the client is
> secure?
>
> Thanks
>
> Duncan.
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - Coverage of the 2002 Olympic Games
> http://sports.yahoo.com
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

Follow-Ups:
- FTP default directories (Was: Re: [cobalt-security] Securing Admin Pages)
  - From: Menno M Jansz

References:
- [cobalt-security] Securing Admin Pages
  - From: duncan gray

Prev by Date: [cobalt-security] Securing Admin Pages
Next by Date: Re: [cobalt-security] Securing Admin Pages
Previous by thread: [cobalt-security] Securing Admin Pages
Next by thread: FTP default directories (Was: Re: [cobalt-security] Securing Admin Pages)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index