Re: disk image creation & restauration

From: Nico Kadel-Garcia (nkadel_at_verizon.net)
Date: 08/06/03 

Date: Wed, 06 Aug 2003 14:15:19 GMT

Peter T. Breuer wrote:
> In comp.os.linux.setup Nico Kadel-Garcia <nkadel@verizon.net> wrote:

>>Experience. If you leave machines up and running 24x7 with no flushing
>>of the OS, people *do* leave little love packages. And because
>
>
> They can't. As to what they do in /tmp or their home directory (nfs
> mount), that's their business.

Not on a cluster or shared machine. Installing it in "/tmp" counts as
installing it, and running an inappropriate or unauthorized service
after you've logged out (which such love packages can easily do) is a
potentially serious problem. Shared workstations should not be used by
people not logged into them unless that's local policy to permit it, and
it rarely is.

>>UNIX/Linux are such fun and powerful operating systems, and because if
>>you have shell or X windows access you can run programs out of "/tmp"
>>which absolutely must be read-write-execute for all, you can't really
>>prevent them from running installing and running programs locally.
>
>
> They don't install. They can put whatever they like in /tmp. There's no
> harm at all in that.

Horse pucks. If I leave a pirate FTP or FSP server running out of /tmp,
or a lovely little Xtank server for everyone to use after I leave the
cluster and log out, I can easily cause all sorts of bandwidth problems
for the cluster as well as making the machine unusable for others. And
that sort of abuse is simply too easy to do.

>>It's often fairly trivial to set up a server for FTP, IRC, pirate
>>software web sites, etc. running on a port for your buddies to use as a
>
>
> It's trivial, and stopped by closing access for ports above 1024.

Horse pucks. Getting the firewall configuration just right to restrict
incoming access for ports above 1024 is often a nightmare. And you can't
entirely restrict it, since TCP does a fascinating bit of handing off of
ports to allow the services on remote machines to actually respond back
on a non-privileged port.

>>server from off-site, or given some time to play around you can run a
>>fake login interface that steals people's passwords, or lock the screen
>
>
> They always have the right to run such things. If they didn't, then
> wouldonly have a finite number of programs they could run and therefore
> they would not be using a general purpose computing machine, but an
> appliance.

While they're logged in, sure. After they log off and leave the cluster?
Or leave it running more than 24 hours tying up public or shared
machines? Nuh-uh.

>>on the machine so no one else can use it until you unlock it or the
>
>
> Anyone can break a screen lock with ctl-alt-bkspace.

Nonsense. In can vlock all the terminal sessions and turn off the X server.

>>Also, the "flush me every day completely" is a good way to make sure the
>>machines get *all* the upgrades and are in a configuration known to the
>
>
> I simply check the md5sums of every file every day. There are no
> problems with what people put in tmp. Mind you, if somebody did invent a
> fake login screen I'd give him extra marks ...

This requires your kernel/glibc not to be screwed with. There are some
*nasty* hacks going around that actually trick the md5sum into
misreporting the checksums, including some loadable kernel module hacks.
And you just entirely gave up on monitoring /tmp contents, which are
therefore dangerous.

Relevant Pages

  • Re: Hacked?
    ... have some kind of pointer to try to contact a computer on that network. ... Those are NetBIOS ports, and NetBIOS is somewhat chatty and can generate ... installing Zone Alarm on the computer in question would be ... > currently hosting the email server, DNS, as well ...
    (microsoft.public.security)
  • Re: disk image creation & restauration
    ... Not on a cluster or shared machine. ... Installing it in "/tmp" counts as ... If I leave a pirate FTP or FSP server running out of /tmp, ... and stopped by closing access for ports above 1024. ...
    (comp.os.linux.networking)
  • Re: Print$ Share
    ... The printers and drivers were installed onto the cluster Virtual Server not ... We have just brought online a second file and print cluster, ... installing printer drivers they are copied to ...
    (microsoft.public.windows.server.clustering)
  • Re: cannot find "clusters service" in add/remove windows component
    ... so Start - Run - Winver shows Advanced Server? ... installed under Services - Cluster? ... Add/Remove Programs of my windows 2000 AS. ... this is my first time installing any clusters systems. ...
    (microsoft.public.windows.server.clustering)
  • Re: FIREBOX II IP CONFIGURATION
    ... > ips for eache server. ... > I will also be installing a cisco cache engine 500 in the following ... > I would like to put all SERVERS, NETWORKING EQUIPMENT in the DMZ using ... > ports to the DMZ interface, ...
    (comp.security.firewalls)