BTW. I have looked over what Novell has out at present, and what's
there is basically totally insecure on Linux, and is vulerable to
someone getting into a single server, then being able to download every
single users passwords and data for all the replicated servers in a
Network using eDirectory on Linux by just getting at one server that
holds either a master or replica database.
The way NDS works is to replicate user info across all the servers in a
Network, which means you only need to break into one server or login,
then you can download the NDS data sets and access every other server in
the network. In Native NetWare, this stuff is stored in the _NETWARE
directory which is invisible to applications on the server. The
specific rights for files are stored in trustee records in the directory
file, and are inaccessible to users.
With what RedHat will be shipping with eDirectory, someone could erase
these files the way it's currently implemented, then all the user rights
for a server would be gone and either noone could login or if someone
does, they would basically get root access to the entire machine. Also,
Trustees are not replicated in real NetWare, just the user logins and
pointers to the trustee records themselves -- these records stay with
the file system and are maintained internal to the file system itself.
What you are about to ship is like swiss cheese, and could render any
Linux server a point of attack that will allow a hacker to get into a
single server with a replica, then gain access to the entire Network.
I see a black eye coming on. I will post the IOCTL()'s. Novell will
not touch NWFS because the moment they do, they will have to open source
anything that uses it (at least they told us they believe this).
RedHat, however, could do this work for them, which would prevent
contamination.
:-)
Jeff
"Jeff V. Merkey" wrote:
>
> Alan,
>
> I have not provided the Trustee and User Space node IOCTL()'s in the
> current NWFS that posted, but they exist in the Ute-Linux version
> shipping Oct 1 that supports our NDS implementation.
> I talked to the Novell guys doing eDirectory on Linux at N+I, and at
> present, they emulate this stuff with files and a database rather than
> store it in the Native NetWare formats, which are inferior to using the
> built in model provided by the file system.
>
> Do you guys want to use it this way and suck up tons of disk space, as
> well as exposing the NDS data sets to hackers and possibly risking them
> getting deleted, or would you rather use it the way it was designed? If
> so, I am posting again this weekend with the page cache support enabled
> and all the ability to use NWFS as a root file system, and I can include
> these IOCTL() calls for the Trustee Chains (where NDS permissions are
> stored for users) and User Nodes (which contain backlinks to quota
> nodes).
>
> Jeff
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Sep 30 2000 - 21:00:26 EST