Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Jun 2002 16:38:21 -0700 (PDT)
From:      Ted Mittelstaedt <tedm@toybox.placo.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/39254: Insecure mode on scripts in the icradius port
Message-ID:  <200206132338.g5DNcLsQ005387@www.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         39254
>Category:       ports
>Synopsis:       Insecure mode on scripts in the icradius port
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 13 16:40:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Ted Mittelstaedt
>Release:        4.5-RELEASE
>Organization:
>Environment:
N/A
>Description:
     Port of ICRADIUS  (/usr/ports/net/icradius) installs several
scripts such as userexport.pl into /usr/local/share/icradius/scripts
as mode 755 they should be mode 700. The icradius database userID
and password must be hard coded into the scripts for them to work,
and an inexperienced administrator would probably not think to change mode on these after modifying them.

  Note that an out-of-the-box installation of icradius doesn't ask for mysql passwords and thus unmodified, these scripts aren't an immediate security risk.  But, the port chooses to install them and really ought to take that extra step to do it in a secure fashion.

  A regular user on the FreeBSD system running icradius who has the mysql passwords for the radius database can execute userexport.pl and pull the entire RADIUS username/password database out of the mysql server.

  Needless to say, any RADIUS server is a mischief trove and any sane admin wouldn't allow public accounts on it - wouldn't they? ;-)  But we shouldn't make it too easy for the crackers, though.

>How-To-Repeat:
      
>Fix:
      Modify the port to set mode 700 on these script files.
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206132338.g5DNcLsQ005387>