[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: snmpconf Issue #17: security questions



>>>>> On Fri, 20 Apr 2001 18:15:49 +0200, David Partain <David.Partain@ericsson.com> said:

(Sorry for the delay.)

David> I personally believe that it's going to be very difficult to do
David> better than the DISMAN folks have done and am inclined to leave
David> the security model as it is (since that seems to be what DISMAN
David> decided - Juergen?  Randy?).

I think that's also the case and we don't have a whole lot of choice
here with respect to implementing something at all.

>> 1) leave as is.  I don't think this is a good option.
>> First off, who is the code is going to be run as shouldn't
>> be determined by who wrote the code.

David> That's not what happens.  Who _wrote_ the code and who _writes_
David> the code into the code tables are two entirely separate issues.

Sorry, that's true and you can assume that I mean "wrote" the row, not
the code.

>> Even worse, who wrote (updated) the "last segment" of the code even
>> though all the other segment was someone else.

David> Keep in mind, of course, that the code tables are protected by
David> the VACM.

Yep.  It's more a complexity issue.  Consider 2 segments of code,
originally written by a low-level system administrator that had
read-only access to the MIB tree.  Lets say a system administrator
with full access privileges notes that the first code segment has a
bug in it, and fixes it.  He may not have looked at the second segment
to ensure that it wasn't performing an illegal set.  The operations of
the entire code set are now executed at the full-privileged level now.

In general, I simply disagree that the access control should be
associated with the "last SET" to the row when that column may be
updated frequently.  It makes it a pain for administrators sharing
tasks to ensure that things execute with a "standard" permission set,
since one administrator making any changes to the code affect how the
code operates.  I'm much more likely to want the code to run as
"demonuser" with a restricted set of access control but give myself
(with full permissions) write access to the code segments.

The "last SET to some particular activation column" makes much more
sense to me, which is how the DISMAN MIBs operate.

David> So, if you only want joe to write to the table, you can do
David> that.  If you set it up so that both joe and mary are allowed
David> to write, then you'd better be sure joe and mary know what
David> they're doing.  I see the VACM as the solution to what you're
David> describing.

I'm not trying to imply otherwise.  It *can* be handled correctly
using the current definition.  I just think it could be a lot more
clear-cut if done a different way and less confusing.

David> So, I believe we have it right - or the best we can do - already.

It'll work, as I mentioned.  It's just not optimal, IMHO.

-- 
Wes Hardaker
NAI Labs
Network Associates