Re: Security problem in ESRI's ArcDoc 7.0.4

James W. Abendschan (jwa@nbs.nau.edu)
Fri, 24 May 1996 19:12:46 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Casper Dik: "Re: denial of service - inetd on solaris 2.4?"
Previous message: Jeff Uphoff: "Re: Is _your_ Netscape under remote control"

Way back on May 24, 11:05am, "Sven.Wijk" wrote:
> The program doesn't seem to be there in the version we are running (7.0.2).
> Downgrading might be an alternative solution. Please correct me if i'm wrong!

Downgrading might work, but Arc/Info is so buggy we *need* 7.0.4.  I
just removed the suid bit from fm_fls; it seems to not have any adverse
effects.

> A quick search in the ArcInfo directories showed 4 other programs suid to root.
> Do we have a potential for problems?

Hmm..

-rwsr-sr-x   1 root     root     1319912 Jan 21 01:31 ./arcexe70/programs/asmaster
-rwsr-sr-x   1 root     root     5871192 Jan 21 01:32 ./arcexe70/programs/asrecovery
-rwsr-sr-x   1 root     root     6059112 Jan 21 01:32 ./arcexe70/programs/asuser
-rwsr-sr-x   1 root     root     1110856 Jan 21 01:32 ./arcexe70/programs/asutility
-rwsr-sr-x   1 root     root     3724136 Jan 29 12:00 ./arcexe70/programs/se
-rwsr-sr-x   1 root     root       24464 Jan 21 01:31 ./arcexe70/programs/wservice
-rwsr-sr-x   1 root     root       20016 Jan 21 01:20 ./arcexe70/programs/abservice
-rwsr-sr-x   1 root     root     3200832 Jan 21 01:20 ./arcexe70/programs/asbuil

I suppose statistically, there must be at least one security bug in
programs this large. Unfortunately (?), all but two of these won't run on our
system (we don't have a license for them.)

> Our GIS-people earlier looked at ESRI's product ArcStorm. Its client-server
> solution is built on:
>   - a bunch of programs suid to root
>   - the client must be trusted hosts to the server, by means of the /etc/.rhost
>     or /etc/host.equiv file.
> This made me very uneasy, and i finaly managed to get them to drop their
> ArcStorm-dreams, and to search for some more security minded solution.
> It seems that security isn't a high priority issue for ESRI's developers.

Nor is bug-free code, but this isn't alt.esri.bash.bash.bash ..

James


--
James W. Abendschan                                 Email: jwa@nbs.nau.edu
UNIX Systems Programmer/Administrator               Phone: (520) 556-7466 x238
Colorado Plateau Research Station, Flagstaff, AZ    Voice mail: *516

Next message: Casper Dik: "Re: denial of service - inetd on solaris 2.4?"
Previous message: Jeff Uphoff: "Re: Is _your_ Netscape under remote control"