[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[LDM #EKK-941581]: LDM 6.9.0.6 password/security ramification issues?



Tyler,

> Some more discussions with Gilbert this morning and with the input of
> his vast knowledge as an LDM admin and Unidata supporter....I have
> come to realize that Unidata may in fact presume that the person doing
> the install does in fact have root level privileges.

No such assumption is made. If the LDM user can't access root privileges, then 
the installation will be no worse-off than before. The command "make 
root-actions" will have to be executed later by root. That's all. When the 
configure(1) script ask for the root password, just enter nonsense.

> My experience in
> the IT field has taught me that this is a _very_ bad assumption,
> especially outside the confines of academia, but let us assume that we
> have to move forward without changing this belief system.
> 
> Root level privileges come in at least two flavors:
> 1. knowledge of the actual root password
> 2. access to root level permissions without knowledge of the password (eg: 
> sudo)
> 
> Pre 6.9x installations work under either of the above conditions.
> 
> Post 6.9x installations do not (given the description of the process by 
> Gilbert)
> 
> It is condition #2 above that I am cautioning against eliminating as
> an install method. Knowledge of the actual root password should
> _never_ be a pre-condition of installing any software unless it has
> direct implications to the OS or kernel (installation of drivers,
> etc).
> 
> If LDM is no longer going to allow non-root level permission
> installations (we can argue that later over beer sometime), then
> installation should be done _AS_ the root user.  Who cares how the
> person obtained root level permissions?  Run the installation scripts
> as root. chown/chmod/chgrp to lower privileged accounts (eg: ldmuser)
> as needed.
> 
> - It eliminates the unnecessary and potentially dangerous requirement
> to type in the root password to a script
> - It forces the installation of LDM in an environment that support-ldm
> expects (root level privileges)
> - It will work under any condition in which root level privileges can
> be obtained. password, sudo, su, etc
> 
> -Tyler

Regards,
Steve Emmerson

Ticket Details
===================
Ticket ID: EKK-941581
Department: Support LDM
Priority: Normal
Status: Closed


NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.