[23493] in bugtraq
Re: IBM WebSphere on UNIX security alert !
daemon@ATHENA.MIT.EDU (Christer Palm)
Thu Dec 13 18:48:01 2001
Message-ID: <3C191182.8050100@nogui.se>
Date: Thu, 13 Dec 2001 21:37:22 +0100
From: Christer Palm <palm@nogui.se>
MIME-Version: 1.0
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Cc: "Tunkelo Heikki (extern)" <Heikki.Tunkelo@erln.gepas.de>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Tunkelo Heikki (extern) wrote:
>
> On default installation WebSphere installs itself to run with
> root-identity, and stores root password as a clear text to a file
> $WASROOT/properties/sas.server.props. The file has permissions 600,
> and therefore other users on system cannot access it.
>
This is not correct. The password (and user ID) stored in
sas.server.props is in fact _NOT_ the system root password, but the user
ID and password chosen at installation time for the Administration
Server security.
However, I have seen far too many installations using 'root' and
whatever the system root password is here. A related issue is using the
instance owner ('db2inst1' by default in DB2) as the user ID to access
the database. The security conscious should of course create separate
non-privileged user identities for those. On the other hand, it's not
surprising that people do these mistakes given the (IMHO) extremely poor
documentation.
Whether or not it is wise to have WebSphere Application Server run as
root is another issue that has been discussed ever since the release of
WebSphere Application Server 3.x a few years ago (WebSphere Application
Server 2.x used to run as 'nobody'), so that is really old news.
Unfortunately some functionality is lost when you run WebSphere
Application Server under a non-privileged user ID. One can also discuss
whether an installation tweaked to run under a non-privileged user ID is
an IBM-supported configuration, and whether such a configuration is
still potentially vulnerable.
IMHO, IBM should change it to run under a non-privileged ID by default.
--
Christer Palm
