On 03/31/10 12:19 PM, Rainer Orth wrote:
Over the last couple of days, I've been working to set up an AI and IPS infrastructure for a ZFS-based sort of flash archive installation, based on the OSDevCon 2009 paper by Philip Torchinsky and Peter Karlsson:http://www.osdevcon.org/2009/program_detail.html#philip http://www.osdevcon.org/2009/slides/automated_deployment_of_hundreds_of_opensolaris_machines_philip_torchinsky.pdf http://voyager-eng.livejournal.com/1155.html While doing this, I've found and reported at least two serious security issues with both AI and IPS: 15362 AI manifests are installed world-readable http://defect.opensolaris.org/bz/show_bug.cgi?id=15362 I noticed that AI manifests are stored world readable on the AI server, leaving the passwords in the embedded SC manifests accessible to anyone with an account on the AI server. 15417 pkg.depotd lacks access control http://defect.opensolaris.org/bz/show_bug.cgi?id=15417 As soon as pkg.depotd is started, anyone can publish packages to it, thus also updating and highjacking existing ones. Both bugs per se may not be reason for concern on their own, but at least part of the response so far and the underlying mind set is, thus I'd like to bring the issue to a wider audience.
It's unfortunate that you chose this route rather than perhaps a more direct escalation with the project leads. We share your goals, though as Danek said priorities may not align at particular points in time.
Getting to technical issues... With respect to the AI bug, yes, it's a problem, I see no denial of that in the conversation so far. The current mechanism for system configuration in AI was a temporary hack until the SMF-based replacement could be built, and while it's well on the way to being replaced, the replacement is not ready yet and won't be for a while. Your further comments seem to assume that the system configuration manifest would continue to be directly available through the existing AI manifest service, which has not been proposed, and in fact is not at all likely, for many reasons, including this one. I'm quite certain that we can provide sufficient security for this configuration data, not least because the wanboot infrastructure we're leveraging has stronger security measures available, though we have yet to make use of them. Getting there will take some work, however, and is certainly not something that will be accomplished in a week.
In the meantime, I would recommend using IPfilter to restrict access to the AI manifest services, and also suggest installing on the client a first-boot service (appropriately secured with file system permissions, of course) that replaces the password for any account that is a concern so that any data obtained through the manifest service is useless.
Dave _______________________________________________ caiman-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/caiman-discuss
