[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: SUP questions
- From: David Mazieres <dm_(_at_)_extreme-discipline_(_dot_)_lcs_(_dot_)_mit_(_dot_)_edu>
- Date: Tue, 20 Feb 1996 03:33:59 -0500 (EST)
I have a bunch of OpenBSD machines which I would like to upgrade with
sup. I was wondering if anyone has tried to do this, and if so could
help me with the following questions:
The biggest problem seems to be that I can't sup files that aren't
world readable (or readable by some group the password for which goes
over the net in quasi-cleartext). Thus, I can't sup files whose
contents I don't really care about keeping secret (e.g. /sbin/init)
without either changing the default permissions or severely weakening
security by letting all the sup clients log in as root.
It would seem that most of these problems would go away if I had some
way of telling the sup server to reject requests for any collections
except those in the coll.dir file, or to have the server reject a
client attempt to set the hostbase.
Should I hack supfilesrv to reject hostbase requests? Hostbase seems
like it could generally be a pretty bad security hole. A malicious
person could give me a tarfile with a sup/evil directory which, if I
simply untar it, allows him to sup my entire hard-drive as an
anonymous user. (There could easily be world readable files I don't
want people without accounts on the system reading.)
Am I just asking for security problems by using sup instead of rdist,
even if I'm willing to tolerate the risk of man-in-the-middle or TCP
spoofing attacks corrupting the data I'm supping? Is there something
else people typically do in these situations [e.g. run a "find . !
-perm -4" into a pax on the server, have the client download the
tarfile and automatically untar it? yuck!].
Thanks for any suggestions.