Date: Tue, 25 Jun 2002 09:20:04 -0700 (PDT) From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: freebsd-ports@FreeBSD.org Subject: RE: ports/39254: Insecure mode on scripts in the icradius port Message-ID: <200206251620.g5PGK4G44915@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/39254; it has been noted by GNATS. From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Sergey N. Voronkov" <serg@tmn.ru> Cc: <freebsd-gnats-submit@FreeBSD.ORG> Subject: RE: ports/39254: Insecure mode on scripts in the icradius port Date: Tue, 25 Jun 2002 09:10:07 -0700 >-----Original Message----- >From: Sergey N. Voronkov [mailto:serg@tmn.ru] >Sent: Tuesday, June 25, 2002 8:01 AM >To: Ted Mittelstaedt >Cc: freebsd-gnats-submit@FreeBSD.ORG >Subject: Re: ports/39254: Insecure mode on scripts in the icradius port > > >On Thu, Jun 13, 2002 at 04:38:21PM -0700, Ted Mittelstaedt wrote: >> Port of ICRADIUS (/usr/ports/net/icradius) installs several >> scripts such as userexport.pl into /usr/local/share/icradius/scripts >> as mode 755 they should be mode 700. The icradius database userID >> and password must be hard coded into the scripts for them to work, >> and an inexperienced administrator would probably not think to >change mode on these after modifying them. >> >> Note that an out-of-the-box installation of icradius doesn't ask >for mysql passwords and thus unmodified, these scripts aren't an >immediate security risk. But, the port chooses to install them and >really ought to take that extra step to do it in a secure fashion. >> >> A regular user on the FreeBSD system running icradius who has >the mysql passwords for the radius database can execute >userexport.pl and pull the entire RADIUS username/password database >out of the mysql server. >> >> Needless to say, any RADIUS server is a mischief trove and any >sane admin wouldn't allow public accounts on it - wouldn't they? ;-) > But we shouldn't make it too easy for the crackers, though. > >Scripts are installed ONLY as an examples :-)). > >Do I need to reflect this feature in pkg-message? > That would be fine too. >Best Regards, > >Serg N. Voronkov, >Sibitex JSC > >P.S.: icradius is nearly dead - no changes to remote hole in several >monthes. I'm thinking to drop maintainership if nothing changed till >September :-(. > This has concerned me as well. The author has said he was working on a new version based on the revised cistron code but nothing has been forthcoming. People on the mailing list have pointed out that radius servers should be firewalled off and so the hole shouldn't matter. Nevertheless aside from the hole, the program works. You might, however, also point out in a new pkg-message that freeradius uses a compatible msql database and it should be possible to migrate a history over to it. Ted To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206251620.g5PGK4G44915>