8 Replies Latest reply on Jun 15, 2011 1:35 PM by Bill Robinson

    BladeLogic Files have permissions with sticky bit set

    Abid Khemiss

      Hi,

       

      BladeLogic Files have permissions that break my organisations security rules (and so are a security risk)
      The following files have setuid set on them  (why is this required ).
      Can we remove setuid bit?

       

      r-sr-xr-x 1 root bin 973824 Feb 12 10:55 /usr/nsh/nativetool/bin/.mcsiwrapper
      -r-sr-xr-x 1 root bin 222144 Feb 12 10:55 /usr/nsh/nativetool/libexec/platform/linux-2.6-x86/vxvm
      -r-sr-xr-x 1 root bin 261360 Feb 12 10:55 /usr/nsh/nativetool/libexec/platform/linux-2.6-x86/sie
      -r-sr-xr-x 1 root bin 201456 Feb 12 10:55 /usr/nsh/nativetool/libexec/platform/linux-2.6-x86/mntinfo
      -r-sr-xr-x 1 root bin 214016 Feb 12 10:55 /usr/nsh/nativetool/libexec/platform/linux-2.6-x86/linuxlvm
      -r-sr-xr-x 1 root bin 1063240 Feb 12 10:55 /usr/nsh/nativetool/libexec/platform/linux-2.6-x86/nafiler
      -r-sr-xr-x 1 root bin 226360 Feb 12 10:55 /usr/nsh/nativetool/libexec/platform/linux-2.4-x86/vxvm
      -r-sr-xr-x 1 root bin 267904 Feb 12 10:55 /usr/nsh/nativetool/libexec/platform/linux-2.4-x86/sie
      -r-sr-xr-x 1 root bin 205288 Feb 12 10:55 /usr/nsh/nativetool/libexec/platform/linux-2.4-x86/mntinfo
      -r-sr-xr-x 1 root bin 218616 Feb 12 10:55 /usr/nsh/nativetool/libexec/platform/linux-2.4-x86/linuxlvm
      -r-sr-xr-x 1 root bin 557072 Feb 12 10:55 /usr/nsh/nativetool/libexec/platform/linux-2.4-x86/nafiler
      -r-sr-xr-x 1 root bin 210456 Feb 12 10:55 /usr/nsh/nativetool/libexec/platform/linux-x86/linuxmd

       

      The following directories are world writable and/or have stick bit set.

       

      Can remove world  write/read capability?

       

      Will it break the application?

       

      Will it make it unsupported?

       

      drwxrwxrwt 2 bin bin 4096 Feb 12 10:55 /usr/nsh/snapshot
      drwxrwxrwt 11 root root 4096 Feb 12 09:05 /usr/nsh/Transactions
      drwxrwxrwx 3 root root 4096 Feb 12 09:06 /usr/nsh/Transactions/locks
      drwxrwxrwx 2 root root 4096 Feb 12 09:04 /usr/nsh/Transactions/locks/reader
      drwxrwxrwx 3 root root 4096 Feb 12 09:06 /usr/nsh/Transactions/events
      drwxrwxrwx 3 root root 4096 Feb 12 09:06 /usr/nsh/Transactions/events/locks
      drwxrwxrwx 2 root root 4096 Feb 12 09:00 /usr/nsh/Transactions/events/locks/reader
      drwxrwxrwx 3 root root 4096 Feb 12 09:05 /usr/nsh/Transactions/log
      drwxrwxrwx 2 root root 4096 Feb 12 09:05 /usr/nsh/Transactions/log/tmp
      drwxrwxrwt 3 bin bin 4096 Feb 19 09:40 /usr/nsh/tmp

       

      Best Regards

       

      Abid

        • 1. Re: BladeLogic Files have permissions with sticky bit set

          I can't answer the sticky bit question, you should probably file a ticket on it. The WW directories below have to be so according to support. I filed a similar ticket for my federal customer and was told that those directories need to be WW due to the behaviour of the application.

          • 2. Re: BladeLogic Files have permissions with sticky bit set
            Bill Robinson

            Not sure about the suid bits. 

             

            For the world writeable/sticky bit dirs, those dirs are written to by the mapped local users.  So if a user is deploying a package as the local user "user1", that user needs to write into those directories,  When local user2 is being used for a deploy, it needs write in those directories.  The sticky bit should allow only the user that created files/subdirs to modify them.

            • 3. Re: BladeLogic Files have permissions with sticky bit set
              Paul Seager-Smith

              These files look like the magnacomp inventory scanner (some certainly are - sie, .mcsiwrapper). This uses setuid to root to ensure that it still works when run as a non-root user. It is also used by Marimba and was necessary for the cases where the customer did not want to install the agent as root.

               

              I think this is used to get the basic system info data for Bladelogic - not sure if it is used for the live browse data or the inventory jobs. If the agent runs as root, the setuid bits should not be necessary. You should be able to remove the 's' bit in this case.

               

              Rgds,

               

              Paul

              • 4. BladeLogic Files have permissions with sticky bit set
                Mike Reider

                Im getting a similar error running a compliance job on a target Solaris 10 server.

                 

                this is what Im getting from the failed job log

                 

                com.bladelogic.om.infra.app.collector.AssetCollectionException: Unable to copy script "file_world_writable_dir_contrib" to host ny-solar3: No such file or directory
                (component=CIS - Solaris 10 (ny-solar3), selector=Extended Object:BL-LXO World-Writable Directory with Sticky Bit Set)

                 

                The same type of compliance job runs ok on RHEL and Suse, but on Solaris its getting these errors. I'm running the job logged in as BLAdmin (BLAdmins role)

                 

                Do I need to change folder permissions on the target servers and disable sticky bit set? I'm guessing its trying to push this script to the /tmp directory.

                • 5. Re: BladeLogic Files have permissions with sticky bit set
                  Bill Robinson

                  I don’t think your problems has to do w/ the stickbit.  On your target does the STAGING_DIR exist? (/var/tmp/stage usually)

                  • 6. BladeLogic Files have permissions with sticky bit set
                    Mike Reider

                    Hi Bill it exists

                     

                    /var/tmp/stage

                     

                    ls -l

                     

                    drwxrwxrwt     2     root

                    • 7. Re: BladeLogic Files have permissions with sticky bit set
                      Mike Reider

                      we figured out the error,

                       

                      we are running a 8.1 app server and we downloaded Compliance Library content installer from EPD.

                       

                      We tried loading CIS templates from the installer but it only has Windows 2008 templates, we need templates for Solaris, AIX and Linux.

                       

                      We recieved exported CIS templates (for AIX, Linux, Solaris - ver 8.1) from BMC  and imported them into our app server. These exported templates were taken from an 8.0 server which was upgraded to 8.1.

                       

                      The problem was that these exported templates are missing several things like extended objects and several internal scripts (like the one that we had the error on, "file_world_writable_dir_contrib"

                       

                       

                       

                      This was the problem, our current app server is missing several Property Dictionary values, missing many Extended objects and was missing these scripts (located in BL_install_dir/OM/NSH/share/sensors/)

                       

                      for BL 8.1, the Compliance Library templates are missing CIS templates for AIX, Linux and Solaris and if you try to simply import them from exports that were exported out of an upgraded 8.0 (8.0 -> 8.1), it wont work.

                      • 8. Re: BladeLogic Files have permissions with sticky bit set
                        Bill Robinson

                        You got these from paul right?

                         

                        I told him most of the EOs and such would be missing from my export ☺