[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[LDM #EKK-941581]: LDM 6.9.0.6 password/security ramification issues?



Tyler,

> Some more discussions with Gilbert this morning and with the input of
> his vast knowledge as an LDM admin and Unidata supporter....I have
> come to realize that Unidata may in fact presume that the person doing
> the install does in fact have root level privileges.

No such assumption is made. If the LDM user can't access root privileges, then 
the installation will be no worse-off than before. The command "make 
root-actions" will have to be executed later by root. That's all. When the 
configure(1) script ask for the root password, just enter nonsense.

> My experience in
> the IT field has taught me that this is a _very_ bad assumption,
> especially outside the confines of academia, but let us assume that we
> have to move forward without changing this belief system.
> 
> Root level privileges come in at least two flavors:
> 1. knowledge of the actual root password
> 2. access to root level permissions without knowledge of the password (eg: 
> sudo)
> 
> Pre 6.9x installations work under either of the above conditions.
> 
> Post 6.9x installations do not (given the description of the process by 
> Gilbert)
> 
> It is condition #2 above that I am cautioning against eliminating as
> an install method. Knowledge of the actual root password should
> _never_ be a pre-condition of installing any software unless it has
> direct implications to the OS or kernel (installation of drivers,
> etc).
> 
> If LDM is no longer going to allow non-root level permission
> installations (we can argue that later over beer sometime), then
> installation should be done _AS_ the root user.  Who cares how the
> person obtained root level permissions?  Run the installation scripts
> as root. chown/chmod/chgrp to lower privileged accounts (eg: ldmuser)
> as needed.
> 
> - It eliminates the unnecessary and potentially dangerous requirement
> to type in the root password to a script
> - It forces the installation of LDM in an environment that support-ldm
> expects (root level privileges)
> - It will work under any condition in which root level privileges can
> be obtained. password, sudo, su, etc
> 
> -Tyler

Regards,
Steve Emmerson

Ticket Details
===================
Ticket ID: EKK-941581
Department: Support LDM
Priority: Normal
Status: Closed