mailing list archives
BoS: Big SecurID Hole??
From: cmacneill () securid com (Chris Macneill)
Date: Mon, 30 Sep 1996 17:49:59 -0500
Our thanks to David L. Reoch dave () pbi net and Richard Perlman (no address) for
pointing out the potential security problem of $VAR_ACE set to 777.
This problem has been caused by an attempt to remove the requirement for root
ownership and "suid" set on the sdshell authentication program. Unfortunately
you cannot remove these requirements without opening up the $VAR_ACE directory
to read-write access for the world. This is due to the requirement that all
users be able to create and read the nodesecret file. Thus administrators have
the choice, you either set sdshell as root with suid set and $VAR_ACE with
something between 775 and 664 permissions (I personally favour 660, since only
owner and group need to read or write to $VAR_ACE and I don't see any reason why
anyone needs to execute anything in this directory). Alternatively you leave
things as they are.
You need to choose between the root ownership and suid set status of sdshell
versus the open permissions on $VAR_ACE and nodesecret.
In ACE/Server v2.2.1 we will be returning to the original requirement of root
ownership and suid set for sdshell as the default and at least 775 restrictions
If anyone has any responses to this posting, please send them to the ACE/Server
admin specific maillist at:-
sdadmin () jabberwocky bbnplanet com
Advanced Support Manager
Security Dynamics Technologies, Inc.
- BoS: Big SecurID Hole?? Chris Macneill (Sep 30)