Cabletron Spectrum Enterprise Manager 5.0 Directory Permissions Vulnerability
The following steps were suggested by George M. Miscoscia <firstname.lastname@example.org> of Cabletron:
It is a suggested practice to create your Spectrum "Administrators" and "Operators" during this initial running. Once done, shut down the SpectroSERVER and then restart it as a Spectrum "Administrator". Open the User Editor and destroy the "root" user immediately. There is no need for its presence anymore. The same holds true for Windows NT, destroy the "Administrator" model from the SpectroSERVER database.
The following steps were also suggested by Dave Plonka <email@example.com>:
1) Do not create, or allow login for, *any* user accounts on the Spectrum host other than for those users who normally use Spectrum and whom you trust not to damage your Spectrum installation. Also, beware of offering services such as anonymous ftp on that host since such services could allow the overwriting of files in the Spectrum directory hierarchy.
- OR -
2) Tighten up the permissions for the Spectrum directory hierarchy. (See the example "secure_spectrum" script.)
We can make use of the group permissions to increase security, while still allowing multiple SpectroGRAPH users to write into various Spectrum directories, as is apparently necessary:
When setting up Spectrum Enterprise Manager, create a "spectrum" group. Make this "spectrum" group the group for the $SPECROOT directory and all sub-directories and files underneath. Then turn on the set-gid bit of $SPECROOT and all sub-directories so that subseqently-created sub- directory entries will "inherit" that group id, i.e. "spectrum". (Without the set-group-id bit, these entries would have had their group set to the effective group ID of the creating process.) If you have the opportunity to do this before installing Spectrum, that is ideal. A umask of 02 (i.e. allow user and group write permission) when for the users in the "spectrum" group might be useful as well. (This can be set up in the individual users ".profile".)
When seting up Spectrum user accounts, place only the Spectrum install "target user" (usually called "spectrum") and those users who should be allowed to run SpectroGRAPH on this server into the "spectrum" group so that only this subset of users will have write access to the Spectrum directories and files that allow write permission for the group. I suggest that the "SDPM" directory, and any directories and files that should not be modified during the normal operation of Spectrum, should disallow group write permission as well.