nv-l

Re: actionsrv parse

2001-11-26 13:37:28
Subject: Re: actionsrv parse
From: "James Shanks" <jshanks AT us.ibm DOT com>
To: nv-l AT lists.tivoli DOT com
Date: Mon, 26 Nov 2001 13:37:28 -0500
This is a multipart message in MIME format.
What you are seeing is now entirely normal and is a result of changes that 
were made for the security APAR IY21527.
The platform AIX or Solaris (or Digital or NT) make no difference.
As soon as you apply this APAR e-fix or NetView 6.0.3, you will see the 
same results with NetView Version 6.0 that you are seeing in 7.1.

Because it is possible for someone to imbed a command inside a varbind, 
and thus cause a command to be issued (with root authority) when you echo 
that varbind to a file, some characters are now considered illegal and are 
escaped, that is preceded by and escape character, when they appear in a 
varbind.
You can either adjust your script accordingly to deal with them or you can 
make everything operate as it did before (and leave open the possible 
security hole) by setting an environment variable to disable the security 
checking.  I would advise adjusting the script.  For example, wherever you 
have $NVATTR_2 , you can replace it with 
`echo $NVATTR_2  |  sed  "s:\\\\\\::g"`
and the sed will remove the escape characters.

The recommended method to disable it all is to create a file called 
/usr/OV/bin/netnmrc.pre  and in it put the line:
        export AdditionalLegalTrapCharacters=disable
 Then either reboot or ovstop all the daemons (ovstop nvsecd) and restart 
them using /etc/netnmrc (AIX) or /etc/init.d/netnmrc (Solaris).
This is all documented in the e-fix for the APAR.  I don't know where that 
doc was placed in 7.1 or 6.0.3 off-hand. 

James Shanks
Level 3 Support  for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group
 





Jorge Jiles <Jorge.Jiles AT ualberta DOT ca>
Sent by: owner-nv-l AT tkg DOT com
11/22/2001 06:28 PM
Please respond to IBM NetView Discussion

 
        To:     nv-l AT tkg DOT com
        cc: 
        Subject:        [NV-L] actionsrv parse

 

Netview 7.1               Solaris 8

Any ideas as to why I'm getting these Varbind (\.\) errors from the action
daemon an how I can correct them.

2001/22/11 16:08:00 :   20 :/usr/OV/local/bin/stateInformer $NVG $NVS $NVA
$NVT~2001/22/11 16:05
:50~1.3.6.1.4.1.2.6.3.1~6~58916865~2172652069~0~public~2~condor.ucs.ualberta
.ca~Node Down~~topo_db~3~N~5
2001/22/11 16:08:00   ./nl_Actionsvr.C[790] :   Varbind contained an
illegal character.
Issuing sanitized version of the varbind:
2001/22/11 16:08:00   ./nl_Actionsvr.C[791] :
NVATTR_2="condor\.ucs\.ualberta\.ca"
2001/22/11 16:08:00   ./nl_Actionsvr.C[790] :   Varbind contained an
illegal character.
Issuing sanitized version of the varbind:
2001/22/11 16:08:00   ./nl_Actionsvr.C[791] :   NVATTR_5="topo_db"

/usr/OV/local/bin/StateInformer is an script that get to be executed from 
a
correlation wait of 5 minutes (node down/up) If I run the script from the
command line, it works OK; also I have been using this scheme for some 
time
on Netview 6 on AIX with no problems. I'm moving from AIX to Solaris 
slowly
but surely.



Jorge A Jiles
Network Analyst
Computing & Network Services
University of Alberta
Edmonton, Alberta
Canada



_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l



What you are seeing is now entirely normal and is a result of changes that were made for the security APAR IY21527.
The platform AIX or Solaris (or Digital or NT) make no difference.
As soon as you apply this APAR e-fix or NetView 6.0.3, you will see the same results with NetView Version 6.0 that you are seeing in 7.1.

Because it is possible for someone to imbed a command inside a varbind, and thus cause a command to be issued (with root authority) when you echo that varbind to a file, some characters are now considered illegal and are escaped, that is preceded by and escape character, when they appear in a varbind.
You can either adjust your script accordingly to deal with them or you can make everything operate as it did before (and leave open the possible security hole) by setting an environment variable to disable the security checking.  I would advise adjusting the script.  For example, wherever you have $NVATTR_2 , you can replace it with  
`echo $NVATTR_2  |  sed  "s:\\\\\\::g"`
and the sed will remove the escape characters.

The recommended method to disable it all is to create a file called /usr/OV/bin/netnmrc.pre  and in it put the line:
        export AdditionalLegalTrapCharacters=disable
 Then either reboot or ovstop all the daemons (ovstop nvsecd) and restart them using /etc/netnmrc (AIX) or /etc/init.d/netnmrc (Solaris).
This is all documented in the e-fix for the APAR.  I don't know where that doc was placed in 7.1 or 6.0.3 off-hand.

James Shanks
Level 3 Support  for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group




Jorge Jiles <Jorge.Jiles AT ualberta DOT ca>
Sent by: owner-nv-l AT tkg DOT com

11/22/2001 06:28 PM
Please respond to IBM NetView Discussion

       
        To:        nv-l AT tkg DOT com
        cc:        
        Subject:        [NV-L] actionsrv parse

       


Netview 7.1                  Solaris 8

Any ideas as to why I'm getting these Varbind (\.\) errors from the action
daemon an how I can correct them.

2001/22/11 16:08:00 :   20 :/usr/OV/local/bin/stateInformer $NVG $NVS $NVA
$NVT~2001/22/11 16:05
:50~1.3.6.1.4.1.2.6.3.1~6~58916865~2172652069~0~public~2~condor.ucs.ualberta
.ca~Node Down~~topo_db~3~N~5
2001/22/11 16:08:00   ./nl_Actionsvr.C[790] :   Varbind contained an
illegal character.
Issuing sanitized version of the varbind:
2001/22/11 16:08:00   ./nl_Actionsvr.C[791] :
NVATTR_2="condor\.ucs\.ualberta\.ca"
2001/22/11 16:08:00   ./nl_Actionsvr.C[790] :   Varbind contained an
illegal character.
Issuing sanitized version of the varbind:
2001/22/11 16:08:00   ./nl_Actionsvr.C[791] :   NVATTR_5="topo_db"

/usr/OV/local/bin/StateInformer is an script that get to be executed from a
correlation wait of 5 minutes (node down/up) If I run the script from the
command line, it works OK; also I have been using this scheme for some time
on Netview 6 on AIX with no problems. I'm moving from AIX to Solaris slowly
but surely.



Jorge A Jiles
Network Analyst
Computing & Network Services
University of Alberta
Edmonton, Alberta
Canada



_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l





<Prev in Thread] Current Thread [Next in Thread>