1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
support devfs in diskless-image-secure image - might be impossible,
as /dev is symlinked on installation. Need to investigate. Need devfs
in standard Linux kernel...
Linux kernel leaves a lot of .nfs* files around the place. These are
meant to be deleted by the kernel, but for some reason or another
aren't. Part of the problem might be becuase the file in question is
still open when the partition is unmounted. This could be a potential
security risk, if the file is a setuid program, that was meant to be
upgraded...
This version has debconf support. Hopefully I haven't made any more
stupid errors in any of the debconf scripts...
Potential security problem:
- Investigate possibility of security hole if running installation at
same time non-trusted user has access to /var/tmp and /tmp on
diskless machine. ie can a user create a symlink and trick my
program into overwriting something it shouldn't? While all
destination files are always checked(?) for symlinks, race
conditions might exist No files are copied into /tmp, so it
should be OK. Only vi.recover is installed in /var/tmp.
I am not sure how to guarantee security of the server computer,
if somebody breaks into root for any of the clients (very easy
if network not trusted), and alters a directory (eg /var) so
that it becomes a symlink, causing auto_install.pm to overwrite
files on the server which shouldn't ever be touched. IF YOU
KNOW HOW TO DO THIS THEN PLEASE LET ME KNOW!!!
Serious/immediate problems:
- Limited documentation, might be tedious to read, etc.
- Find out why the dhcpd option "root-path" doesn't work for me.
- hostdir.pm creates insecure files in /tmp, and
will not delete this files if the program is aborted.
These files are named "/tmp/diskless.$$.converted.$i". I do
not consider this as serious as the security threat listed
above, as I consider /tmp on the server to be reasonably secure.
However, it should be fixed. Please tell me how to
create secure tmp files in perl scripts... Even better
please send me a patch file that does this ;-)
The relevant line is in hostdir.pm. It is:
my $tmpfile = "/tmp/diskless.$$.converted.$i";
These files are only deleted if the program is not aborted.
The rest of this file covers "wishlist" issues that I think should
be fixed but aren't urgent or may be difficult to fix.
Speed:
- auto_install.pm shouldn't rely on using "cp" to copy devices. It slows it
down. How do you copy devices with perl?
- Code in C, not perl? This would reduce portability.
diskless-newhost and diskless-newimage:
- formatting of prompts? Could this be improved?
- check input data to ensure valid.
configure-diskless-image:
- shouldn't prompt for information if it has already been configured and
called if called from postinst.
auto_install.pm:
- output is way to verbose, showing messages which may confuse and are
generally annoying for non-debugging use. However I think
some status messages are good...
- If higher priority dir contains a symlink and lower priority dir
contains a directory with files in it, auto_install.pm will
probably get confused and try to install files under symlink.
If the symlink is absolute (eg /etc) it could corrupt root
file-system of server.
Misc:
- It is assumed that devices never change (ie if the file exists it
isn't checked, not even the permissions). This is because a
number of devices have there permissions changed frequently on
a normal basis (eg tty*, and resetting the permissions could be
annoying, especially if the device is currently in use.
- diskless-kernel needs major work, currently it is specific
to my installation.
- errors on shutdown of diskless client (/dev and /etc busy).
- spell check documentation; it has been rushed, so probably will
contain errors.
- fix all bugs. What bugs? Bugsinimyprogram???? Never!
|
