Knowledge Partner
Knowledge Partner
532 views

Potential security issue if user is Supervisor of NCP server object?

Hi

I need to provide some support staff with the ability to use DSTrace in
iMonitor.

The support staff have limited rights in the tree, they can start/stop
IDM drivers, modify some objects etc. They can't modify password policy
or ACLs.

I have found out that a user needs supervisor entry rights to the NCP
server object to be able to use DSTrace from iMonitor.

If I give those rights what kind of other rights would the staff get by
default?

What kind of security holes would I open?

They could of course probably delete the NCP object right?

OS is SLES10, non-OES, just pure SLES and eDirectory 8.8.6.

Thanks
Labels (1)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Potential security issue if user is Supervisor of NCP serverobject?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Controlling the server object is a pretty big deal. If they really just
need to be using trace have you considered just seting up 'sudo' via
/etc/sudoers to let them run ndstrace (or a script you setup to make it
easier for them which calls ndstrace itself) only as the 'root' user
when they need to do tracing?

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO2L9ZAAoJEF+XTK08PnB5pkQQAKCKzUbGEoY0l3lZncuHVVam
rpHdGTPwsClC/azVjkCcXahQP+Vted7n/ps1FkCX3wrTSbJOqDt9FJ3cXj/pyzIa
aMiyRgXHPEqI4WcQ6Y+WYJc2KVPYUCduWwIWEV+fWvjq+87BvfhFxaCrXEj48K3d
rsOYJtubN8hlEkBHTJis3Y3ueX/OOVhIrA1n9fANQaCSg4thS+k9CV4HYHkp/Ju+
v37x+XqhaaqZGEMwTJtAJTV4i6VTXswvQPFnRRLkBdbnxOR2Hyt2u/XszzwgdgoG
O8b6qcwG/xBYkykrF2fzDqmxftOcZ7mqrYs00c/CL6J00W7HRARGf6HYJKo+6H13
ezOavdVjZ/wLiAlJ/BpSf8hLptKhp3ebyrBRAGseGumaYUPCdd7lhyanXm+Q5ukj
fPq5ph1D4D/j95/+PF9XTZ4NqkDsd6DeuDJ5vo2Orj0uput5W4cHDNhs0fd5+PGk
5jMCYk+YTtPf6M6zIEHj6A6n2Yl9AgWe6NyfO2WTZEH5eD29EV0836QJiHK2Tltz
RaVB9XNBUitp6iPKwhStzDARSL4Wn8l17Ahao4uDOk3wa65glBKuQRfBBr7Zdbi9
kEhTAnD7jhlx7hcCF/aayahAtsxE2zNkuu1pn4f4Ko1TLwXBxWHVuzKcfFl5gMLl
6f4lbb5/NeLhr/vFkKRJ
=2F1k
-----END PGP SIGNATURE-----
0 Likes
peterkuo Absent Member.
Absent Member.

Re: Potential security issue if user is Supervisor of NCP server object?


They will gain additional file system rights but not 'object' rights to
other objects - which is what I think you may be afraid of? But one
wouldn't want to be able to mess with NCP Server object anyways since it
contains a lot of other important attributes. So sudo is the better way
to go - though I haven't checked, but would Console Operator priv. be
sufficient?


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: http://forums.novell.com/member.php?userid=88
View this thread: http://forums.novell.com/showthread.php?t=449036


-- eDirectory Rules! Peter www.DreamLAN.com
0 Likes
Knowledge Partner
Knowledge Partner

Re: Potential security issue if user is Supervisor of NCP serverobject?

Since we don't have any volumes in eDirectory that is not a problem.
You are correct, I'm thinking of "object" rights in eDirectory.

How can I give Console Operator rights?

Thanks

On 02/12/2011 18:46, peterkuo wrote:
>
> They will gain additional file system rights but not 'object' rights to
> other objects - which is what I think you may be afraid of? But one
> wouldn't want to be able to mess with NCP Server object anyways since it
> contains a lot of other important attributes. So sudo is the better way
> to go - though I haven't checked, but would Console Operator priv. be
> sufficient?
>
>

0 Likes
peterkuo Absent Member.
Absent Member.

Re: Potential security issue if user is Supervisor of NCP server object?


alekz;2158339 Wrote:
>
> How can I give Console Operator rights?
>


That is one of the attribute/properties of the NCP Server object; you
will need to browse and select the desired User object to be assigned.


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: http://forums.novell.com/member.php?userid=88
View this thread: http://forums.novell.com/showthread.php?t=449036


-- eDirectory Rules! Peter www.DreamLAN.com
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.