On 02/11/99 20:22:28 you wrote:
http://www.geek-girl.com/bugtraq/1999_1/0594.html
I think that falls into the "Doc, it hurts when I do that" category, but it's a good reminder anyway.
The message, however, is just wrong in many places. I'll quote it below to pick apart.
Jason Downs writes:
Filer's typically have an "admin host" which can mount and read/write to the filer root directory. Without it, it's impossible to do any sort of system maintenance on the filer.
This simply isn't true; there's many sorts of system maintenance that can be done on the console without an admin host, and even moreso now with Web-based administation. One doesn't even have to have a permanent admin host... you could just briefly export the root directory for a quick update, then unexport it from the filer console.
If this host is compromised it's obviously bad news for the filer. But now, apparently new with the 5.x revisions of the filer operating system, a malicious individual can likely destroy the disk drive hardware itself. It is not known if any sort of sanity check is done on the contents of the firmware files; it's likely there is none, considering the type of code they contain.
This isn't new; a malicious individual could potentially effect firmware in previous versions. This is potentially the case in almost any OS... although I admit, 5.x makes it a little "easier" to do so. Firmware also isn't hardware, although bad firmware could theoretically lead to physical damage of the disk drive hardware mechanism.
Of course, it is trivial to gain command line access to a filer once the admin host is compromised. They use what amounts to /etc/hosts.equiv for rsh access.
Wrong. People keep thinking the admin host is some mythical authoritative host. It isn't. It's nothing. Forget the term. You *can*, if you like, allow one or more hosts to telnet into the filer, rsh into it without a password, or mount it's root partitions. These are no more or no less a factor in the filer than in any other system, and you are perfectly capable of *not* allowing a host to do any of the above. The filer will continue to work.
It has always been important to make sure the "admin host" of a filer is secure.
This is true.
Now it seems Network Appliance has just raised the stakes; not only can you lose your data, but you can also potentially lose hundreds of thousands of dollars worth of hardware.
This isn't true, and no one should be doing risk-analysis assuming that a user accessing a system through software can't do damange to the hardware underneath.
Jason, I'm CC:ing you on this; you're free to insert it into the bugtraq archive record if you wish since I don't subscribe to it.
Bruce