QNX RTOS v4 Knowledge Base
QNX RTOS v4 Knowledge Base
| Title |
Phindows Security issues |
| Ref. No. |
QNX.000009521 |
| Category(ies) |
Configuration |
| Issue |
1: What can be done to prevent a Phindows user from phdittoing an existing Photon session?
2: It seems that everybody is able to ditto anybody's Photon session via Phindows with the "-n" option. The reason for that seems to be that phrelay is started as root from inetd. |
| Solution |
Issue 1: What can be done to prevent a Phindows user from phdittoing an existing Photon session?
There is nothing within Phindows itself which can prevent this, since this ability is available from any normal Photon session. What can be done is to set up a login+password configuration that prevents non-trusted users from getting into Phindows in the first place. You'd need to specify "phrelay %" in the etc/config/phrelay.<node> file -- the "%" forces a login/password for each new connection.
Here are a few other tricks you may want to consider:
1. You can supress access to the $PHOTON device (normally /dev/photon, but often /dev/ph<pid of Photon>) for all users except root. You'd have ythe startup script for photon (ph, by default) execute a chmod 600 $PHOTON.
2. You could use the public-domain "TCP-Wrapper" utility to block/permit phrelay access based on IP-addresses of the originator. Described as "quite easy to setup and Pretty Secure (tm)" by one of our users.
3. Not starting the desktop manager (or removing some of the application's buttons) and removing access to the shell will make the machine less vulnerable.
= = = = = = = = = = = = = = = = = = = = = = = = = = = =
Issue 2: It seems that everybody is able to ditto anybody's Photon session via Phindows with the "-n" option. The reason for that seems to be that phrelay is started as root from inetd.
Phindows was not designed with security in mind. The only way to limit access via Phindows is by denying user access via the inetd.conf file (or the /etc/config/phrelay.<node> file). This is a rather blunt object, since it denies _all_ use of Phindows to the user,not just the -n options.
The noditto utility, which looks like it might be useful in such situations, only blocks text-mode console dittoing by the ditto utility. It does nothing for phditto or Phindows. |
|
