Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
1186 views

Potential security issue with Novell Remote Manager?

Ok, I've tried to convince myself that it's me that's the problem but unfortunately I cannot "undo" what I've done.

Novell OES Linux Linux 2.6.5-7.151-default i686, SUSE LINUX Enterprise Server 9 (i586)
Novell Remote Managaer


I'm toying around with local logins to the linux box with eDir/LDAP authentication. I have been able to log in as myself (an admin to the tree via group membership which has S to the tree) and as the 'default admin account'.

I wanted to see what the interface would look like as a regular user but was unsuccessful in logging in. The web login prompted me with "Login Error! Username or Password invalid. Please try again."

OK, so I tried a different user. Same problem. Just for fun I made one of the users a member of the Administrator group (again, Administrator group has S privs to the entire tree). Magically, the user was able to log into the NRM interface. "Cool" I thought, regular users cannot even access the NRM screen. I then took the user out of the Administrator group, waited for eDir to sync (about five seconds as verified by an 'iptraf' screen), logged the user out of NRM and tried to log back in. To my suprise, the user can log in and more importantly can delete ANY file from ANY partition on the linux box?


WTH? Seems the S rights to the box haven't been removed! I verified this behavior with other users and they get permanently elevated privs. Hopefully this is a bug that can be fixed!?

Thanks, Brian
Labels (2)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Potential security issue with Novell Remote Manager?

Hi,

Brian Schonecker wrote:
>
> Ok, I've tried to convince myself that it's me that's the problem but unfortunately I cannot "undo" what I've done.


Let me check.

CU,
--
Massimo Rosen
Novell Support Connection Sysop
No emails please!
http://www.cfc-it.de
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Potential security issue with Novell Remote Manager?

Hmmm....seems after a long while, the user cannot log in again — which is the behavior I would expect immediately after removing him from the administrators group.

Is there some caching that could be going on? (Not on the PC side, but the linux server side).

Brian
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Potential security issue with Novell Remote Manager?

Definately seems to be a timing/caching issue on the linux OES server.

I added a regular user to the administrators group and then logged him in successfully to Novell Remote Manager (NRM) at PC #1. Then I removed him, logged him out of NRM from PC #1 and logged him in from another workstation. Unfortunately, he still had admin privs to the OES Linux server.

Eventually though, the privs do go away. I just haven't determined how long it takes with any kind of accuracy.

Brian
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Potential security issue with Novell Remote Manager?

Hi,

Brian Schonecker wrote:
>
> Hmmm....seems after a long while, the user cannot log in again — which is the behavior I would expect immediately after removing him from the administrators group.
>
> Is there some caching that could be going on? (Not on the PC side, but the linux server side).


No idea, sorry.

CU,
--
Massimo Rosen
Novell Support Connection Sysop
No emails please!
http://www.cfc-it.de
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.