Date: Tue, 25 Jun 2002 08:10:09 -0700 (PDT) From: "Sergey N. Voronkov" <serg@tmn.ru> To: freebsd-ports@FreeBSD.org Subject: Re: ports/39254: Insecure mode on scripts in the icradius port Message-ID: <200206251510.g5PFA9w32106@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/39254; it has been noted by GNATS. From: "Sergey N. Voronkov" <serg@tmn.ru> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: freebsd-gnats-submit@FreeBSD.ORG Subject: Re: ports/39254: Insecure mode on scripts in the icradius port Date: Tue, 25 Jun 2002 21:00:54 +0600 On Thu, Jun 13, 2002 at 04:38:21PM -0700, Ted Mittelstaedt wrote: > Port of ICRADIUS (/usr/ports/net/icradius) installs several > scripts such as userexport.pl into /usr/local/share/icradius/scripts > as mode 755 they should be mode 700. The icradius database userID > and password must be hard coded into the scripts for them to work, > and an inexperienced administrator would probably not think to change mode on these after modifying them. > > Note that an out-of-the-box installation of icradius doesn't ask for mysql passwords and thus unmodified, these scripts aren't an immediate security risk. But, the port chooses to install them and really ought to take that extra step to do it in a secure fashion. > > A regular user on the FreeBSD system running icradius who has the mysql passwords for the radius database can execute userexport.pl and pull the entire RADIUS username/password database out of the mysql server. > > Needless to say, any RADIUS server is a mischief trove and any sane admin wouldn't allow public accounts on it - wouldn't they? ;-) But we shouldn't make it too easy for the crackers, though. Scripts are installed ONLY as an examples :-)). Do I need to reflect this feature in pkg-message? Best Regards, Serg N. Voronkov, Sibitex JSC P.S.: icradius is nearly dead - no changes to remote hole in several monthes. I'm thinking to drop maintainership if nothing changed till September :-(. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206251510.g5PFA9w32106>