Highlighted
Absent Member.
Absent Member.
1012 views

Security implications with ZCM imaging

I am by no means a Linux guy, so I apologize if I sound confused 🙂

We are trying to wrap our heads around the security involved with
using
imaging on a SLES 10+SP1 install of ZCM 10.0.

Most, if not everything, ZCM-related is in
/var/opt/novell/zenworks/content-repo, including the images folder,
which is where images are backed up to and restored from.

The "images" folder is owned by zenworks.

If you create an image, then the owner of that image is root.

Obviously, when you create images from the imaging engine, it does not

require (or even provide the option of) any kind of authentication -
it
just works. I am guessing that the imaging service or something
similar
takes the file stream from the workstation and writes it to the disk.

If root is listed as the owner, then is the service running as root? And if so, is it possible that this can be hijacked? Is there any
account less privileged that can be used to run this service instead?
We are trying to figure out how to allow "group A" to login via SSH to

copy/delete/modify with image explorer the contents of "group A's"
"group A" subfolder in "images", at the same time making sure that
they
cannot access "group B's" folder, which is at the same level as "group

A's" folder.

There is concern that someone could traverse the directory structure backwards and possibly see or access something that they should not
unless the ownership is set properly.

My questions are:
1.) Is this really an issue, or are we being overly cautious?
2.) Is there anything we should do to harden the setup which will not

break anything?
3.) If we tried to do something fancy like make images/groupA a sym
link
to a folder somewhere else on the hard drive that we can secure
better,
does that even help? Wouldn't users still need to be able to access /var/opt/novell/zenworks/content-repo to get to the sym link?



Labels (2)
0 Likes
1 Reply
Highlighted
Absent Member.
Absent Member.

Re: Security implications with ZCM imaging

Jeremy Mlazovsky,

>1.) Is this really an issue, or are we being overly cautious?
>2.) Is there anything we should do to harden the setup which will not
>break anything?
>3.) If we tried to do something fancy like make images/groupA a sym
>link to a folder somewhere else on the hard drive that we can secure
>better, does that even help? Wouldn't users still need to be able to
>access /var/opt/novell/zenworks/content-repo to get to the sym link?


1. I suppose it could be an issue. In security, anything can be done. 🙂
I have not tried any of the following thoughts...So they are theory.
2. Create an account "ZCM" or such user that only has read access to most
locations on the server, with full access to the content repo
3. A symlink to the content-repo could probably easily be done, although I
do not think it would stop a user from going back up the folder system..
If that were even possible.

All of this is theory. 🙂

--
Jared Jennings - Data Technique, Inc.
Novell Support Forums Sysop
My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.