| Subject | RE: [IBDI] Path on win NT 4.0 => INTERBASE SECURITY HOLE |
|---|---|
| Author | Claudio Valderrama C. |
| Post date | 2000-06-11T23:49:20Z |
Why not? What are the problems you have found?
Or are you talking about Classic?
In superServer, at least in NT, I can start the Guardian as system (because
it has no interaction with the outside world, no security hole) and let it
start IB in the context of a domain user, for example.
Also, I remember some old article from Reed Mideke, former IB Build Engineer
where he wrote that after a bit of tweaking, it was possible. I've copied it
here:
-----Original Message-----
From: Reed Mideke
Sent: MiƩrcoles 26 de Abril de 2000 20:29
Subject: [IB-Architect] Running as a normal user on NT.
Arrgh. This isn't architect or priorities really, but making it
work right will require some changes, so I'll go with architect ...
the server service must be run as localsystem, because it needs
the 'interact with desktop' right, which only services running as
localsystem are allowed to have. It doesn't actually need to interact
with the desktop, but IPC is initiated by a windows message, so this
right is required. There was talk of removing the use of windows
messaging
this in the next generation IPC protocol, so this issue might go away.
I first tried taking away the 'interact with desktop'
right (while continuing to let IB run as localsystem), and, as expected,
I could connect with tcpip loopback but not with IPC. Anyway, I created
an NT user interbase, with the default priviledges (a member of the
group 'users' and nothing else), and set the server and gaurdian to run
as that. Nt notified me that it had given the user interbase the 'log on
as a service' right.
I tried connecting with tcp/ip and failed. Checkin gthe interbase.log,
there was a message saying that the gaurdian could not start the server.
I then added the interbase user to the administrators group, (I know
this
defeats the purpose, but it helps the process of elimination), and
was able to connect via tcp/ip. So this means its a matter of finding
the right rights (or is that rites ? ;-)
Final result (after a misguided attempt buring some old apple ][
floppies while facing Redmond), was that setting the >gaurdian< to log
on as local system, and the server to log on a regular user interbase
(who did not have admin privs) allows a tcp/ip connection.
It is probably possible to further restrict the rights of the interbase
user. Given a careful use of filesystm ACLs, I imagine you could greatly
reduce the potential damage done by a rouge ib user.
Please not that to make this of any use at all, you need to do a bunch
of work setting the file and registry permissions on your NT box,
because
microsfts default settings are nuts from a security point of view. I
can dig up references to sites that describe this process if anyone
wants.
You also (obviously) have to use NTFS for your system drive and
interbase
installation area.
BTW, all of the above was done on ib version WI-B6.0.0.530
and NT 4.0 SP6a
Finally, I didn't test anything more than connect, show database
and select * from employee. And I only tested using localhost
for tcpip.
I'll try to do a little more testing and come up with a 'running
ib as a normal user on NT' howto.
Regards,
reed.
--
Reed Mideke
rfm(at)collectivecomputing.com
-----End of Original Message-----
After reading again such posting I realized I was not blatantly wrong. IB
Guardian as system (loca account) and IB itself as an user. Maybe it needs
some rights, but they can be narrowed. Of course, the connection cannot be
shared memory (local IB connection) but TCP but AFAIK, local TCP connections
are somewhat optimized (or unoptimized?) automatically by NT. And all that
fuss because IB expects two Windows messages at the beginning to initialize
IPC.
C.
Or are you talking about Classic?
In superServer, at least in NT, I can start the Guardian as system (because
it has no interaction with the outside world, no security hole) and let it
start IB in the context of a domain user, for example.
Also, I remember some old article from Reed Mideke, former IB Build Engineer
where he wrote that after a bit of tweaking, it was possible. I've copied it
here:
-----Original Message-----
From: Reed Mideke
Sent: MiƩrcoles 26 de Abril de 2000 20:29
Subject: [IB-Architect] Running as a normal user on NT.
Arrgh. This isn't architect or priorities really, but making it
work right will require some changes, so I'll go with architect ...
> Of course you have to do a lot of work to make NT reasonably secure toOk, i checked this out a little. First of all, to use IPC access,
> begin with (see ntbugtraq.com, for example for some hints on getting
> there). I'm not sure if there is any problem running IB service as
> another user on NT. Anyone tried ?
>
the server service must be run as localsystem, because it needs
the 'interact with desktop' right, which only services running as
localsystem are allowed to have. It doesn't actually need to interact
with the desktop, but IPC is initiated by a windows message, so this
right is required. There was talk of removing the use of windows
messaging
this in the next generation IPC protocol, so this issue might go away.
I first tried taking away the 'interact with desktop'
right (while continuing to let IB run as localsystem), and, as expected,
I could connect with tcpip loopback but not with IPC. Anyway, I created
an NT user interbase, with the default priviledges (a member of the
group 'users' and nothing else), and set the server and gaurdian to run
as that. Nt notified me that it had given the user interbase the 'log on
as a service' right.
I tried connecting with tcp/ip and failed. Checkin gthe interbase.log,
there was a message saying that the gaurdian could not start the server.
I then added the interbase user to the administrators group, (I know
this
defeats the purpose, but it helps the process of elimination), and
was able to connect via tcp/ip. So this means its a matter of finding
the right rights (or is that rites ? ;-)
Final result (after a misguided attempt buring some old apple ][
floppies while facing Redmond), was that setting the >gaurdian< to log
on as local system, and the server to log on a regular user interbase
(who did not have admin privs) allows a tcp/ip connection.
It is probably possible to further restrict the rights of the interbase
user. Given a careful use of filesystm ACLs, I imagine you could greatly
reduce the potential damage done by a rouge ib user.
Please not that to make this of any use at all, you need to do a bunch
of work setting the file and registry permissions on your NT box,
because
microsfts default settings are nuts from a security point of view. I
can dig up references to sites that describe this process if anyone
wants.
You also (obviously) have to use NTFS for your system drive and
interbase
installation area.
BTW, all of the above was done on ib version WI-B6.0.0.530
and NT 4.0 SP6a
Finally, I didn't test anything more than connect, show database
and select * from employee. And I only tested using localhost
for tcpip.
I'll try to do a little more testing and come up with a 'running
ib as a normal user on NT' howto.
Regards,
reed.
--
Reed Mideke
rfm(at)collectivecomputing.com
-----End of Original Message-----
After reading again such posting I realized I was not blatantly wrong. IB
Guardian as system (loca account) and IB itself as an user. Maybe it needs
some rights, but they can be narrowed. Of course, the connection cannot be
shared memory (local IB connection) but TCP but AFAIK, local TCP connections
are somewhat optimized (or unoptimized?) automatically by NT. And all that
fuss because IB expects two Windows messages at the beginning to initialize
IPC.
C.
> -----Original Message-----
> From: Nando Dessena [mailto:nandod2@...]
> Sent: Jueves 1 de Junio de 2000 3:13
> To: IBDI@egroups.com
> Subject: Re: [IBDI] Path on win NT 4.0 => INTERBASE SECURITY HOLE
>
>
> Claudio,
>
> > As you can see, not as easy. There's a security hole in
> the sense of your
> > users discovering the real location of the db, but you are
> advised to run IB
> > under a non-privileged user so you can restrict permissions to
> that user.
>
> am I missing something, or this is not possible with the current version
> of IB?
>
> Nando
>
> ------------------------------------------------------------------------
> Was the salesman clueless? Productopia has the answers.
> http://click.egroups.com/1/4633/4/_/679568/_/959843497/
> ------------------------------------------------------------------------
>
> Community email addresses:
> Post message: IBDI@onelist.com
> Subscribe: IBDI-subscribe@onelist.com
> Unsubscribe: IBDI-unsubscribe@onelist.com
> List owner: IBDI-owner@onelist.com
>
> Shortcut URL to this page:
> http://www.onelist.com/community/IBDI
>