I am by no means a Linux guy, so I apologize if I sound confused :)
We are trying to wrap our heads around the security involved with
imaging on a SLES 10 SP1 install of ZCM 10.0.
Most, if not everything, ZCM-related is in
/var/opt/novell/zenworks/content-repo, including the images folder,
which is where images are backed up to and restored from.
The "images" folder is owned by zenworks.
If you create an image, then the owner of that image is root.
Obviously, when you create images from the imaging engine, it does not
require (or even provide the option of) any kind of authentication -
just works. I am guessing that the imaging service or something
takes the file stream from the workstation and writes it to the disk.
If root is listed as the owner, then is the service running as root? And if so, is it possible that this can be hijacked? Is there any
account less privileged that can be used to run this service instead?
We are trying to figure out how to allow "group A" to login via SSH to
copy/delete/modify with image explorer the contents of "group A's"
"group A" subfolder in "images", at the same time making sure that
cannot access "group B's" folder, which is at the same level as "group
There is concern that someone could traverse the directory structure backwards and possibly see or access something that they should not
unless the ownership is set properly.
My questions are:
1.) Is this really an issue, or are we being overly cautious?
2.) Is there anything we should do to harden the setup which will not
3.) If we tried to do something fancy like make images/groupA a sym
to a folder somewhere else on the hard drive that we can secure
does that even help? Wouldn't users still need to be able to access /var/opt/novell/zenworks/content-repo to get to the sym link?