Account Options

  1. Sign in
The old Google Groups will be going away soon.
Switch to the new Google Groups.
Google Groups Home
« Groups Home
alt.computer.security
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Security issue of cross server job on UNIX and the solution
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   1 message - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
WZIS Software  
View profile  
 More options Feb 10, 5:08 am
Newsgroups: alt.computer.security
From: WZIS Software <wzisi...@gmail.com>
Date: Fri, 10 Feb 2012 02:08:15 -0800 (PST)
Local: Fri, Feb 10 2012 5:08 am
Subject: Security issue of cross server job on UNIX and the solution
Print | Individual message | Show original | Report this message | Find messages by this author
Say you have an UNIX (such as AIX, HP-UX, Linux) application server
alpha, and an UNIX database server delta, and the application is
running use account Charlie's privilege, and database using account
Sam's privilege.
The application generates data that will send to server delta, and the
data to be loaded into database by Sam and the a report will be
generated using the data in the database.
In today's technology, most likely sftp will be chosen for the file
transfer from alpha to delta, and most people will think this is the
very secure solution.
So what's the issue with this solution?

With this solution, you need to ask one person to do the file transfer
job, then ask the same person or another to load the data into
database and then run report generation program.

Here, the person who does the file transfer job needs to either Sam's
password or the pass phrase for the private key of the key pair used
for public key authentication, or else, you have to choose public key
authentication with no pass phrase protection for the private key.
We assume that you will use the pass phrase protected public key
authentication way, as this is the most secure way among them.

Then what's security issue with this arrangement?

Lets talk about the security risk with the pass phrase protection
itself first.

One common issue here is the pass phrase needs be known by all the
people who will do the file transfer, which is unlikely to be only one
person.

And then a malicious person on the machine with same or root privilege
could use system call tracer, like tusc on HP-UX, to steal the pass
phrase when you type it.
And a malicious person with root privilege could replace the sftp
program to steal the pass phrase.

And on Solaris 10 platforms, anybody with root privilege can easily
use dtrace to capture the pass phrases when anybody uses ssh to
connect to other machines. The dtrace tool is good for debugging
issue, but is a nightmare for password/pass phrase security.

Then lets talk about another big security issue with the arrangement:
when a person is able to use sftp to transfer the data from server
alpha to server delta through account Sam on delta, that person is
also able to make changes to Sam's .profile, so if the person is
malicious, he/she will be able to set up a trap in Sam's .profile, so
when Sam logs on to the server delta, the trap will be triggered and a
false transaction to be added into to database, causing big damage to
the company.

WZIS Software has a very secure solution for this and it can save you
huge operation costs.
Please check our solutions at http://www.wziss.com/


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2012 Google