Security implications with ZCM imaging

I am by no means a Linux guy, so I apologize if I sound confused :)

We are trying to wrap our heads around the security involved with
using
imaging on a SLES 10 SP1 install of ZCM 10.0.

Most, if not everything, ZCM-related is in
/var/opt/novell/zenworks/content-repo, including the images folder,
which is where images are backed up to and restored from.

The "images" folder is owned by zenworks.

If you create an image, then the owner of that image is root.

Obviously, when you create images from the imaging engine, it does not

require (or even provide the option of) any kind of authentication -
it
just works. I am guessing that the imaging service or something
similar
takes the file stream from the workstation and writes it to the disk.

If root is listed as the owner, then is the service running as root? And if so, is it possible that this can be hijacked? Is there any
account less privileged that can be used to run this service instead?
We are trying to figure out how to allow "group A" to login via SSH to

copy/delete/modify with image explorer the contents of "group A's"
"group A" subfolder in "images", at the same time making sure that
they
cannot access "group B's" folder, which is at the same level as "group

A's" folder.

There is concern that someone could traverse the directory structure backwards and possibly see or access something that they should not
unless the ownership is set properly.

My questions are:
1.) Is this really an issue, or are we being overly cautious?
2.) Is there anything we should do to harden the setup which will not

break anything?
3.) If we tried to do something fancy like make images/groupA a sym
link
to a folder somewhere else on the hard drive that we can secure
better,
does that even help? Wouldn't users still need to be able to access /var/opt/novell/zenworks/content-repo to get to the sym link?



Tags:

  • Jeremy Mlazovsky,

    >1.) Is this really an issue, or are we being overly cautious?
    >2.) Is there anything we should do to harden the setup which will not
    >break anything?
    >3.) If we tried to do something fancy like make images/groupA a sym
    >link to a folder somewhere else on the hard drive that we can secure
    >better, does that even help? Wouldn't users still need to be able to
    >access /var/opt/novell/zenworks/content-repo to get to the sym link?


    1. I suppose it could be an issue. In security, anything can be done. :)
    I have not tried any of the following thoughts...So they are theory.
    2. Create an account "ZCM" or such user that only has read access to most
    locations on the server, with full access to the content repo
    3. A symlink to the content-repo could probably easily be done, although I
    do not think it would stop a user from going back up the folder system..
    If that were even possible.

    All of this is theory. :)

    --
    Jared Jennings - Data Technique, Inc.
    Novell Support Forums Sysop
    My Blog and Wiki with Tips, Tricks, and Tutorials
    http://jaredjennings.org
  • Jeremy Mlazovsky,

    >1.) Is this really an issue, or are we being overly cautious?
    >2.) Is there anything we should do to harden the setup which will not
    >break anything?
    >3.) If we tried to do something fancy like make images/groupA a sym
    >link to a folder somewhere else on the hard drive that we can secure
    >better, does that even help? Wouldn't users still need to be able to
    >access /var/opt/novell/zenworks/content-repo to get to the sym link?


    1. I suppose it could be an issue. In security, anything can be done. :)
    I have not tried any of the following thoughts...So they are theory.
    2. Create an account "ZCM" or such user that only has read access to most
    locations on the server, with full access to the content repo
    3. A symlink to the content-repo could probably easily be done, although I
    do not think it would stop a user from going back up the folder system..
    If that were even possible.

    All of this is theory. :)

    --
    Jared Jennings - Data Technique, Inc.
    Novell Support Forums Sysop
    My Blog and Wiki with Tips, Tricks, and Tutorials
    http://jaredjennings.org