[Xymon] XyMon client binaries default security is bad

zGreenfelder zgreenfelder at gmail.com
Thu Mar 7 07:37:02 CET 2013


On Thu, Mar 7, 2013 at 12:49 AM, Jeremy Laidman
<jlaidman at rebel-it.com.au> wrote:
> On 2 March 2013 06:44, Larry Barber <lebarber at gmail.com> wrote:
>>
>> It could allow bogus reports to be sent to the Xymon server, maybe hiding
>> something malicious.
>
>
> I can do that using telnet, or in the absence of telnet, I can use bash.
> The binaries make it slightly more convenient, that's all.
>
>>
>> Also, a lot of security scans will pick up on things that are world
>> executable and not in one of the standard directories (like /usr/bin, /bin,
>> etc.).
>
>
> Really!  Why?  I've never seen this, except when the script is also
> world-writeable.  What security scanner(s) are you referring to?
>
> Lots of users write their own scripts and keep them in their home
> directories.  Sysadmins write scripts like this all the time.  I'm not sure
> this is a useful security stance.
>
> J

it's a common notion, although I don't think it really helps in true
security very often.   I've usually seen it in places where a
draconian security policy is compiled by people who don't really
understand what they're doing from a wide range of internet sources
that are then too widely applied.     e.g. one place I worked for
established a security policy that insisted that root's home dir be
mode 700, owned by root.   which is a pretty decent suggestion for
linux machines where root's home is (typically) /root.   on a solaris
machine where root's home dir is typically (or at least was then) /,
it'll render a machine unusable.   but since it'd been found at what
some security auditor considered to be a reputable site and s/he
didn't understand the underlying reasoning, it became the standard
policy to be applied across all OSes and all machines (and yes if you
added the extra clause that root's home dir can not be /, it goes back
to possibly a reasonable security policy).

you can also argue that it's part of a 'least possible permissions'
sort of thing where only the users/groups that _Need_ to run the
programs/scripts have perms to do it, reducing the potential exposure
if a security flaw is uncovered at some point in the future.

-- 
Even the Magic 8 ball has an opinion on email clients: Outlook not so good.



More information about the Xymon mailing list