Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] Security concerns with NMC?

2009-10-16 15:18:02
Subject: Re: [Networker] Security concerns with NMC?
From: Tim Mooney <Tim.Mooney AT NDSU DOT EDU>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Fri, 16 Oct 2009 14:11:44 -0500 
In regard to: [Networker] Security concerns with NMC?, George Sinclair said...:


Before installing the NMC software, I have some concerns about the user
account that this will run under, specifically the fact that this
package runs as a web server on whatever machine you install it on, if I
understand correctly, yes? Makes me kinda nervous.


There are many, many things about most commercial, closed-source
applications that make me nervous.  I have encountered hundreds of
packages over the years that blithely assume that they will be run as
root, in most cases for no good reason.  Packages like that make me really
nervous.

A package with documentation that says "don't run me as root" still presents
opportunities for concern, but one of the biggest areas for concern is
already addressed.  Which non-root user it runs as isn't something I'm
losing any sleep over.


"Specify a User/Group with limited privileges that NMC will use to run
the web server. This must be a non-root user. For example, Linux
operating systems have a default user/group [nobody/nobody] that can be
used."

1. What would be considered a user with limited privileges? Any new
user/group that you create that's not root (uid=0 or gid=0)?


Any user that doesn't have special privileges.  If you've just created a
user with a unique uid and gid and haven't given them any special
privileges, then they definitely have the limited privileges the
documentation is talking about.
2. Is anyone using a restricted shell for this? Would that even work or be of any security advantage? 

3. How about a chrooted environment?


For us, the answer is no and no.  I take security very seriously, but
honestly these aren't my highest concerns with NMC or other NetWorker
components.

You want something security-related to be concerned about with NMC,
here's one: there's no support for encryption during the authentication
process.

Tim
--
Tim Mooney                                             Tim.Mooney AT ndsu DOT 
edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, IACC Building                             701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the body of the email. Please write to networker-request 
AT listserv.temple DOT edu if you have any problems with this list. You can access the 
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Networker] 64-bit versus 32-bit NW?, George Sinclair
Next by Date:  Re: [Networker] 64-bit versus 32-bit NW?, Tim Mooney
Previous by Thread:  [Networker] Security concerns with NMC?, George Sinclair
Next by Thread:  [Networker] 64-bit versus 32-bit NW?, George Sinclair
Indexes:  [Date] [Thread] [Top] [All Lists]