3 Replies Latest reply on Apr 1, 2014 2:49 AM by Pedro José Barbero Iglesias

    AppServer's Security Issue when running centralized NSH Scripts

      Hi there guys!! I would like to share with you a issue I have recently created with BMC support Team about a security issue we have found that I think it could be very interesting because I have never read anything about it in any post. the ticket says like that:




      We have found something a little dangerous that we  would like to avoid in some way. I going to describe the situation and the problem: When you execute a centralized NSH Script, the working directory where the script is executed is located under the "/NSH/br" in the App Server where the script is executed or run. For this reason, two weeks ago and due to a design error or malicious script, this removed many files and directories of the App Server installation. Leaving the environment and of course the App Server broken down. So we had to reinstall the App Server, during this time our Pre-Production environment was completely out of service causing delays in our development projects. So as you can imagine, this is something we would like to avoid to happen in the future. We have made some tests modifying start up script among others things to make centralized scripts to be run in other isolated directory with just those necessary rights or permissions. But it didn't work at all. Could  you please tell us if there is a way to force the centralized scripts to be run in other isolated and restricted location that avoid this undesired and dangerous situation?




      Any idea or help would be appreciated so much. My best regards.

        • 1. Re: AppServer's Security Issue when running centralized NSH Scripts

          Here the answer of BMC support Team



          Thank you very much for submiting this issue to BMC support. I want to let you know that we are aware of this problem and we have raised RfE for this earlier. First of all we can assure you that we fully understand the severity of the issue and that we realize this is a more than valid reason for security concerns. We have therefore tasked research & development to perform a major revamp of the way script execution on the app server works as the current concept suffers from a limitation that renders a secure implementation virtually impossible to realize. Unfortunately this also means that a short-term solution will not be feasible. Changes of this amplitude cannot be performed in the context of a patch or service pack as they would most likely lead to incompatibilities with many other areas of the product. Extensive testing and QA will be required prior to a release of this nature. A resolution has therefore been targeted under tracking ID QM001738479 for the next BBSA minor release (i.e. 8.5). Currently the only workaround is to have regular backup of your appserver in order to restore the data correctly.




          Any other workaround?

          • 2. Re: AppServer's Security Issue when running centralized NSH Scripts
            Bill Robinson

            in theory you could enable the spawner, and run that under a different account.  that is of course not tested at all...

            1 of 1 people found this helpful
            • 3. Re: Re: AppServer's Security Issue when running centralized NSH Scripts

              I haven't tested your proposal yet,but what I did was little script to changing permissions and owners of some vital directories in order to avoid damage due to centralized NSH scripts execution.


              Below the script.


              To secure Bladelogic Application Server directory:


              chown root:root ../br

              chown root:root deployments

              chown root:root <appserver_logs_directory>



              To unsecure Bladelogic Application Server directory:


              chown bladmin:bladmin ../br

              chown bladmin:bladmin deployments

              chown bladmin:bladmin <appserver_logs_directory>


              P.S: As soon as I have a little time I'll test what you suggest because  I have already enabled the spawners.