Opened 14 months ago

Closed 14 months ago

Last modified 14 months ago

#1402 closed defect (fixed)

/data/freenas-v1.db is world readable

Reported by: m000 Owned by: william
Priority: critical Milestone: 8.0.4-RELEASE
Component: Backend Version: 8.0.2-RELEASE
Keywords: Cc:

Description

The configuration database file /data/freenas-v1.db is world readable.

root@zbox0] ~# ls -l /data/freenas-v1.db
-rw-r--r--  1 root  wheel  182272 Mar 15 15:10 /data/freenas-v1.db

This may lead to a major security incident in the case Active Directory is enabled because the administrator password is stored PLAINTEXT in the database. So, any Active Directory user may ssh to the FreeNAS box and retrieve the domain password.

luchalibre:~ mstamat$ ssh user@zbox0
user@zbox0's password: 
Last login: Thu Mar 15 15:29:14 2012 from xxx.xx.xx.x
.
.
.
$ id
uid=21523(user) gid=23233(agroup) groups=23233(agroup),20513(domain users)
$
$ /usr/local/bin/sqlite3 /data/freenas-v1.db
SQLite version 3.7.7.1 2011-06-28 17:39:05
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select ad_domainname, ad_adminpw from services_activedirectory;
domain.com|DOMAIN_ADMIN_PASSWORD
sqlite>

Change History (5)

comment:1 follow-up: Changed 14 months ago by m000

Apart from /data/freenas-v1.db being readable, the way Active Directory support is implemented seems to be majorly flawed. Why the hell you need to store the domain admin password anywhere on a client box? After joining the domain, the password should be dumped and only the host credentials should be kept. Typically (IIRC) samba keeps the host credentials in secrets.tdb file.

The process described here (sans software installation parts) properly joins a samba host to an Active Directory domain:
http://www.debian-administration.org/article/Using_Samba_on_Debian_Linux

comment:2 in reply to: ↑ 1 Changed 14 months ago by jhixson

Replying to m000:

Apart from /data/freenas-v1.db being readable, the way Active Directory support is implemented seems to be majorly flawed. Why the hell you need to store the domain admin password anywhere on a client box? After joining the domain, the password should be dumped and only the host credentials should be kept. Typically (IIRC) samba keeps the host credentials in secrets.tdb file.

While I agree the password should be encrypted, it is necessary to store it in the database as it needs to persist across upgrades.

The process described here (sans software installation parts) properly joins a samba host to an Active Directory domain:
http://www.debian-administration.org/article/Using_Samba_on_Debian_Linux

I don't see anything on this page that isn't currently done with our Active Directory joining implementation.

comment:3 follow-up: Changed 14 months ago by william

  • Owner set to william
  • Status changed from new to accepted

I believe this is fixed in r10692.

Thank you.

comment:4 Changed 14 months ago by william

  • Resolution set to fixed
  • Status changed from accepted to closed

comment:5 in reply to: ↑ 3 Changed 14 months ago by m000

Replying to william:

I believe this is fixed in r10692.

Thank you.

Yes, database mode is fixed. Still storing Active Directory admin password makes no sense. I'll open a different ticker for this (if one doesn't exist).

Thanks!

Note: See TracTickets for help on using tickets.