[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Citrix Winframe client for Linux
From:       Andy Polyakov <appro () FY ! CHALMERS ! SE>
Date:       1999-05-31 22:45:30
[Download RAW message or body]

> > All configuration information is stored in a
> > directory /usr/lib/ICAClient/config which is mode 777.
While we're on the matter...

Background. ICA client lets you "mount" any UNIX directory as a drive
within any particular WinFrame/MetaFrame session.

Problem. Files created by Windows on such client-mapped drive appear to
be world-writable. umask doesn't have no effect. Tracing system calls
made by the client reveals that all newly created files are scrupulously
chmoded to 777. Both 2.x and 3.x clients exhibit this behaviour. No, it
doesn't mean a compromise. But I find it totally inappropriate when such
important security description as access permissions on newly created
files is taken behind my back.

Workaround (for platforms supporting dynamic linking). Compile following
"module" as a shared object and make run-time linker preload it (e.g. by
setting LD_PRELOAD on Linux and Solaris and
_RLD_LIST=${ICAROOT}/chmod.so:DEFAULT on IRIX)

		int chmod(){return 0;}

Side effects. If you have version 3.x and a user runs the client for the
very first time, initial config files are copied from ${ICAROOT}/config
and they (files) inherit 444 access permissions. To workaround this
chmod u+w ${ICAROOT}/config/* (files in ${ICAROOT}/config are owner by
root anyway).

Andy.

[prev in list] [next in list] [prev in thread] [next in thread]