swlist @ remotehost returns list of sw! (14 Views)
Reply
Honored Contributor
Bill McNAMARA_1
Posts: 3,866
Registered: ‎11-14-2000
Message 1 of 10 (14 Views)
Accepted Solution

swlist @ remotehost returns list of sw!

if I run
swlist @ remotehost
from localhost,
I can see all software installed on remotehost.

In my books this is a security flaw especially when one of my hosts is built for security!

How do I stop it?

pereal:root> swlist @ labatt
# Initializing...
# Contacting target "labatt"...
#
# Target: labatt:/
#

#
# Bundle(s):
#

B2491BA B.11.00 MirrorDisk/UX
B3693AA C.02.40.000 HP GlancePlus/UX for s800 11.0
B3884FA_AGL B.11.00 HP-UX 8-User License
B5736BA A.03.20 HA Monitors
B_SSH 1.2.27 Secure Shell
HPOC-1100-CORE B.11.00.20000914 HPUX Patch Bundle for HPOC Products
HPUXEng64RT B.11.00.01 English HP-UX 64-bit Runtime Environment
J4254AA B.11.00.01 PCI 4 PORT 100BASE-T/9000
OnlineDiag B.11.00.13.16 HPUX 11.0 Support Tools Bundle
XSWGR1100 B.11.00.50.5 HP-UX General Release Patches, September 2000
#
# Product(s) not contained in a Bundle:
#

Medusa 5.3.a Security/Audit Monitoring Toolset
MedusaLocalConf Local configurations and filters for Medusa slaves.
OMNIBACK-II A.03.10 HP OpenView OmniBack II
OSD-SEC A.02.11f HP OSD Security Tools
PWplus 3.1.a Password Security Toolset
SecurityTools 1.0 Security tools
It works for me (tm)
Please use plain text.
Trusted Contributor
Marcin Wicinski
Posts: 215
Registered: ‎06-12-2001
Message 2 of 10 (14 Views)

Re: swlist @ remotehost returns list of sw!

Hi Bill,
I dont exactlly remember, but swacl command should be usefull.
Marcin Wicinski
Please use plain text.
Honored Contributor
Bill McNAMARA_1
Posts: 3,866
Registered: ‎11-14-2000
Message 3 of 10 (14 Views)

Re: swlist @ remotehost returns list of sw!

pereal:root> swacl -l host @ labatt
#
# swacl Host Access Control List
#
# For host: labatt
#
# Date: Fri Nov 16 12:37:35 2001
#

# Object Ownership: User= root
# Group=sys
# Realm=labatt.grenoble.hp.com
#
# default_realm=labatt.guinness.com
user:in:crwit
user:mvesian:crwit
user:ocmc:crwit
user:ocmp:crwit
user:pack:crwit
user:ss7:crwit
group:swadm:crwit
any_other:-r--t

I guess I should modify the any_other somehow so that read is not allowed..

Later,
Bill
It works for me (tm)
Please use plain text.
Trusted Contributor
Marcin Wicinski
Posts: 215
Registered: ‎06-12-2001
Message 4 of 10 (14 Views)

Re: swlist @ remotehost returns list of sw!

I think we can try to edit /var/adm/sw/_ACL file witch contains security list. Put "-" instead of "r" in any_other line.
Marcin Wicinski
Please use plain text.
Trusted Contributor
David Lodge
Posts: 142
Registered: ‎06-07-1999
Message 5 of 10 (14 Views)

Re: swlist @ remotehost returns list of sw!

The way I do it is IIRC:

swacl -l root -M any_other:-----

This will remove all access for any user except for root on the machine (including other servers)

dave
Please use plain text.
Honored Contributor
Bill McNAMARA_1
Posts: 3,866
Registered: ‎11-14-2000
Message 6 of 10 (14 Views)

Re: swlist @ remotehost returns list of sw!

after running the command.. it works (localhost cant list remotehost)

but swacl -l host still shows the older permissions?

pereal:root> swacl -l host
#
# swacl Host Access Control List
#
# For host: pereal
#
# Date: Fri Nov 16 13:01:36 2001
#

# Object Ownership: User= root
# Group=sys
# Realm=pereal.guinness.com
#
# default_realm=pereal.guinness.com
group:swadm:crwit
any_other:-r--t
It works for me (tm)
Please use plain text.
Trusted Contributor
Marcin Wicinski
Posts: 215
Registered: ‎06-12-2001
Message 7 of 10 (14 Views)

Re: swlist @ remotehost returns list of sw!

 
Marcin Wicinski
Please use plain text.
Trusted Contributor
Marcin Wicinski
Posts: 215
Registered: ‎06-12-2001
Message 8 of 10 (14 Views)

Re: swlist @ remotehost returns list of sw!

Log out and log back in or restart swagentd: # swagentd -r
Marcin Wicinski
Please use plain text.
Trusted Contributor
David Lodge
Posts: 142
Registered: ‎06-07-1999
Message 9 of 10 (14 Views)

Re: swlist @ remotehost returns list of sw!

This is the difference 'twixt a root and a host - a host defines the whole host (ie server/partition) that you are querying - A root defines the root directory *on that host*.

If one restricts the acl on a root to only readable by the root user then nobody but the root user can examine the software installed on that root. (Note: SD allows more than one root - eg for development/UAT environments you can have several roots such as:
/test/UAT1
/test/UAT2
etc. The 'normal' root is '/')

For a host it will affect access to see what roots/depots exists on that host...

To see:
sudo swacl -l host -M any_other:-----
swlist
[list of software]
sudo swacl -l host -M any_other:rt
sudo swacl -l root -M any_other:-----
swlist
[Error no access rights]

I hope that's cleared up a bit (I'm still confused :-)

To try and describe it in a different way - the ACLs describe access rights to look at the contents on the level you're looking at, so root describes the product/files etc installed on that root. host describes the objects available on that host...

dave
Please use plain text.
Honored Contributor
Wodisch
Posts: 3,779
Registered: ‎06-30-2000
Message 10 of 10 (14 Views)

Re: swlist @ remotehost returns list of sw!

Hello Bill,

we are talking about DCE-ACLs, here...
And in order to prevent somebody from doing harm to your system the "sw..." way, you will have to restict the following "levels":
- host: for communication with the "swagentd"
- root: for using the IPD (Installed Product Database)
- depot: for using depots (all you have there)

Just to show the power of those permissions: give a "plain" user (say: johndoe) the proper permission, and s/he can install or remove software on your station:
On "target" as user "root":
swacl -l root -M user:johndoe:crwit @ /
and then try as user "johndoe":

/usr/sbin/swinstall -s /tmp/PHKL_XXXXX -x auto_reboot=true '*'

The patch will be installed, the system will reboot, and all done by a "plain" user!

So you will have to restrict read/write/control/insert/test permissions for anybody except your admin group from
-l root @ /
-l host @ $(hostname)
-l depot @ $DEPOT # for ALL local depots

Just my ???0.02,
Wodisc
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation