SUMMARY: ping-only account

From: Christopher L. Barnard <cbar44_at_tsg.cbot.com>
Date: Thu May 29 2003 - 10:16:35 EDT
I asked:

> Devil's Advocate time...
> 
> This is a moderately high security environment.  Sun Servers here are
> monitored by folks who do not need to know much, if anything, about
> unix.  Monitoring is done by remote applications and they just watch
> for alerts from the applications.  On most machines, the only interactive
> item they do is to log on to a system and do a ping.  If there is a
> problem, notify an admin.  These folks have a unique, non-root,
> restricted shell, account.
> 
> The problem is the high turnover of our monitoring personnel and the
> subsequent frequent creation and deletion of accounts.  On many of the
> servers, the task is to one thing: ping.  On such servers, I am wondering
> if anyone sees any security problems with having an account
> 
> pingtest:x:1099:10:Pinging account only:/dev/null:/usr/local/bin/pingtest.sh
> 
> where the password of pingtest is trivial if not null.
> 
> the /usr/local/bin/pingtest.sh script is root owned, mode 0555, and is in its
> entirety:
> 
> ---------------8<---------------
> #!/bin/sh
> #
> ### Program that does a ping.
> ###
> echo "Please enter the name or IP address of the server you wish to ping: \c"
> read ans 
> 
> /usr/bin/getent hosts ${ans} > /dev/null 2>&1
> 
> if [ "x$?x" != "x0x" ]; then
>   echo ""
>   echo "$ans is may not be a valid name, but a ping test will be done anyway."
> fi
> 
> /usr/sbin/ping -a $ans
> 
> exit 0
> ---------------8<---------------
> 
> and the user pingtest is in the /etc/ftpusers file.
> 
> Then all of the monitoring personnel accounts would be deleted and they
> would all use this one.
> 
> Before I implement this, though, I would like to run it past the tens
> of thousands of pairs of eyes on this list to find out if I have missed
> anything...

The answer:

Generally OK.  As it turns out, we are not going to use this after all, but 
I will summarize the responses for the purposes of the archive.

Several people pointed out that I forgot to trap kill signals.
trap 'echo "nyah nyah nyah nyah";exit 1' 1 2 3 13 15
or
trap '$0' 1 2 3 13 15
if you want to be nicer... ;^)

Also several people pointed out that there are applications that do this
without ever logging in -- Big Brother, NetSaint, etc.
Several people said to carefully parse the input for the getent command.
Although ping will die on a hostname like "foobar;rm -rf *", it is still
not a good idea to tempt fate.
I got a recommendation to run this as smrsh rather than /bin/sh.  By using
the Sendmail restricted shell I can specify what applications can be run.
Several people pointed out that ping is setuid-root, so one has to be
careful with it.
Also there is the accountability issue.  This account does not log who used
it or when.

Thanks to the many of you who looked at the script.

+-----------------------------------------------------------------------+
| Christopher L. Barnard         O     When I was a boy I was told that |
| cbarnard@tsg.cbot.com         / \    anybody could become president.  |
| (312) 347-4901               O---O   Now I'm beginning to believe it. |
| http://www.cs.uchicago.edu/~cbarnard                --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu May 29 10:16:29 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:11 EST