What’s Not in the IBM Redbook: Apache Users and IFS Security

A few years ago I worked with the lead developer of RJS Software’s WebDocs-iSeries document management solution to see whether we could use authorization lists to provide a standardized method for securing WebDocs-iSeries objects on the iSeries.

You see, the iSeries is strange in that it has two file systems that are both “native”, and WebDocs-iSeries uses both. The first and the original, is the library/object model that has been around since the early System/36 days. A master library, QSYS, contains system objects and all other libraries, which may themselves contain objects but not libraries. This produces a very flat file structure, with any object being fully specified simply by naming the library it is contained within and its object type.

Later, a UNIX-like file system was added (IFS or Integrated File System) but without removing the old file system; instead, libraries appear as UNIX directories with objects appearing as files and object types their extensions. Native applications were blissfully ignorant of the change, and I’ve actually spoken to administrators who were similarly ignorant. In addition, many iSeries applications do not explicitly work with the IFS.

With V5R3, IBM switched from using its own web server on the iSeries to using the popular Apache web server. Before that WebDocs-iSeries had been storing the actual documents uploaded to it in the IFS, so any comprehensive security solution was going to have to accommodate the library/object model as well as the files and directories in the IFS. Authorization lists fit the bill perfectly.

redbooksOr so we thought. Ultimately, they proved too cumbersome for our customers and their real-world utility was minimal. But along the way I stumbled across an odd mismatch between the level of authorization that was theoretically required for Apache in IBM’s Redbook and what was actually required.

Apache on the iSeries has two primary user profiles it uses: QTMHHTTP and QMTHHTP1. The former is used for accessing the web site pages under /www for a given Apache instance, while the latter is used for executing CGI programs. Since the same iSeries job may be used for both operations, Apache switches the user profile of the job when it runs CGI programs.

What this implies is that the only files QTMHHTTP should ever need access to are those in /www. But, in fact, it traverses the directory structure of the IFS to check whether a given CGI program is present before the job switches users. Since our CGI program object is in the RJSIMAGE library, QTMHHTTP needed read access to /QSYS.LIB/RJSIMAGE.LIB/* before it would perform the switch and allow QTMHHTP1 to run the program.

While unexpected, this mismatch between expectations and actuality isn’t necessarily a problem. But paying attention to such mismatches can be educational. The Linux From Scratch project has actually made a sort of perverse game of this form of pedagogy, with their “User Based Package Management” approach. It looks masochistic because it is, but it’s also enlightening: verifying security is all about attention to such details.

Last I checked, V7R1 behaves the same way, and the Redbook still hasn’t been updated. So it goes …

 

Be Sociable, Share!

Creepin’ on Facebook Just Got Easier

If you were like me and a beta tester, you might not have noticed that Facebook Graph Search is now open to all users. But, it is. Everyone from your former high school classmates to your co-workers to your mom’s neighbor has access to Facebook’s powerful search engine.

While many users may use it to find friends with similar interests, it can also reveal some rather interesting and embarrassing things.

If you’d rather not show up in a Graph Search (innocent or like the ones from that Tumblr), there are a few steps to take:

Read more…

Be Sociable, Share!

Watch and Learn: Security Metaphors

In case you weren’t able to attend Secure360 this year, you can catch the presentation that Josh More gave entitled “Security Metaphors” right here.

Here’s the original description of the presentation:

There is a divide between the so-called “security/technical” people and the “business” people. We’ve all heard about how we need to “speak the language of business” and “get soft skills” to succeed. However, even after decades of trying, the divide still exists. Why does it seem that we never make progress? Are we truly not improving? Is the goal receding as we chase it?

This presentation posits that we’ve been making a fundamental error in trying to explain things to people outside our field. One thing that people-oriented people do naturally, and technically-oriented people do not, is communicate with others using the target’s metaphors. By taking this approach and translating issues into different frames of reference, more time is spent exploring the issue instead of arguing over why it matters.

By focusing first on being understood and second on the specific issues, rapport can be built and, over time, you can get the resources you need to win more battles.

 

Be Sociable, Share!

On Tigers and Teams

As many of you who read this blog know, in addition to doing security, I also like to go to zoos and take photos. (You can see my work here.) It is rare that this hobby overlaps with my life in security, but once in a while, it does. In May, I was in Washington, D.C. for a Sophos conference. After the conference (as one does), I went to the National Zoo.

I got there before opening and was taking photos. I saw these signs…

DSC_7356 DSC_7357 DSC_7358

… and made a quick joke about the zoo not wanting people jumping in to pet the tigers. Then, however, I saw this, and everything changed:

DSC_7359

Read more…

Be Sociable, Share!

Personal Security?

We pride ourselves on our approach to security here at RJS and have been keenly interested in the goings on with the NSA and the PRISM program and all the third parties that seem to have no problem coughing up your personal info, corporate giants such as Google, Facebook, Microsoft, etc.

Here’s a new one to add to the list: Motorola.

Ben Lincoln posted on his blog today some interesting facts he happened to stumble upon when troubleshooting an Exchange Active-sync setup with his Motorola Droid X2 cell phone. Turns out that Motorola is gathering ALL his log on credentials for third party sites/services and photos he’s taken with his phone, and passing quite a bit of that data unencrypted over HTTP.

In layman’s terms: all that data is interceptable by third parties, in fact, that’s how Lincoln initially discovered it.

We talked quite a bit about a similar issue with HTC and “Carrier IQ” being pushed to all their phones through an over-the-air update. Fortunately, Trevor Eckhart discovered that little gem and put in a lot of valuable time and effort into making it known: Eckhart pointed it out to the XDA ROM modding community and swift steps were taken to purge it from all custom ROMs. The resulting backlash against HTC was huge to the point that their stock and market share tumbled during 2012 and in 2013.

When you break the trust of your customer’s it is really hard to recover.

HTC licked their wounds and released out the HTC One, which has been aptly named since it’s their one last effort to salvage the company. I picked up the One this spring on vacation, rooted it a day later and installed a custom ROM that I know has been stripped of any carrier and manufacturer bloat and spyware.

Do I feel any more secure? Not really since the NSA is digging through all my email and phone traffic regardless of personal security steps I take.

Maybe it’s time to take a Jack Reacher approach and just unplug from everything and step entirely off of the grid …

 

Be Sociable, Share!