[8041] in bugtraq
Re: Globetrotter FlexLM 'lmdown' bogosity
daemon@ATHENA.MIT.EDU (Kemasa)
Mon Sep 28 00:56:07 1998
Date: Sun, 27 Sep 1998 11:33:32 -0700
Reply-To: Kemasa <kemasa@SILICON.NET>
From: Kemasa <kemasa@SILICON.NET>
X-To: Valdis.Kletnieks@VT.EDU
To: BUGTRAQ@NETSPACE.ORG
>From: Valdis.Kletnieks@VT.EDU
>...
>Well, here's an oldie but goodie, which we first saw at least 3 years
>ago. Lo and behold, it's apparently STILL broken. Sorry, no vendor
>notification - we told them 3 years ago. ;)
>
>FlexLM 'lmdown' command will chow your license server from anywhere on
>the Internet - all you need is a copy of the license file. The
>authentication appears to be "Well, you appear to be root on the
>machine that you typed 'lmdown' on".
Have you looked at the switch options for lmgrd? If you had you
would find that there is an option to limit the ability to take
down the license daemons to a specific group, which basically
stops what you are talking about. I think it is also possible
to completely ignore a lmdown command since it would be possible
to try all possible group ids.
It is a bit of a problem that they set it up that way by default
and since you need not run it as root, you should change the
owner to something else, change the options and a clean up
the way the log files work.
You DO have the option of changing the functionality though,
so you really can't blame them for your not looking at the
man pages on the program.
Kemasa.
