Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000308Endian FirewallSecuritypublic2007-11-09 22:332010-09-24 11:10
Reporterrainy 
Assigned To 
PrioritynoneSeverityfeatureReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.2-beta1 
Target VersionfutureFixed in Version 
Summary0000308: auto login allows reboot and reset to factory-default
DescriptionAfter booting the system, I found out that there is an auto login running which gives a menu at the console:

0 shell
1 reset to factory default
2 reboot

I had to find out, that option 0 (shell) requires a user and login password, however options 1 and 2 don't even ask for a password, just ask for confirmation by entering a 'y'.

I don't think that is is a real good idea for a security system. Local users might cause a denial of service or even take control at the firewall by resetting the system to factory default and then take control over it by setting a new configuration!

Please be aware of this serious issue!
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000638)
peter-endian (administrator)
2007-11-10 03:12

well, what difference does it make for a local user to attach a serial cable and do a reboot or to simply strip the power cord and reattach it?

or what about factory default and opening the firewall case, disassembling the hard disk and change whatever values you want by mounting it to another machine.

The administrator of the system needs to physically secure the machine, by locking the rack or the room where the firewall is in.

At the other hand, if we would secure those menu items by password there is no more possibility for an administrator who forgets the password to reset the machine.
(0000639)
rainy (reporter)
2007-11-11 15:30
edited on: 2007-11-11 15:41

Hi Peter, I understand your arguments, on the other side, I would wish having the possibility to disable that auto-login.

I am FW-Admin for a long time and I never had seen a menu like that on a firewall gateway. In case one really forgot the password or the system is unavailable, he/she could easyly boot from an linux/knoppix system and access the file system anyhow. If one forgot the admin-password, he/she could install a new image of the firewall software.

There are many pro's and contra's for this discussion. Therefor I'd suggest a topic in the Admin-GUI where an administrator could enable or disable that feature. So each one could choose his/her setting and would be happy ;)

With regards

(0000943)
Anonymous (viewer)
2008-03-03 09:41
edited on: 2008-03-03 10:21

I am in agreement with the reporter. I was shocked to see that autologin allows reboot/reset. Please either make this an option to turn off if wanted or completely turn it off.

(0002440)
mike-f (updater)
2009-05-29 22:11

as for the "reset" i agree -- not really needed

but the reboot option is "a must have" in cases networking stops and customer has to reboot (hard reset is quite ugly as there might be some filesystem-issues afterwards)
as the boxes are together with other servers in a closed room (hope so :-) only a handful of people are allowed to physicaly access them
so reboot should be a "no issue - works as expected"

we might implement an option to disable the "reboot" in cases the admin wants to--but until then i would leave it as is
(0002451)
peter-endian (administrator)
2009-06-03 17:25

fixed?

- Issue History
Date Modified Username Field Change
2007-11-09 22:33 rainy New Issue
2007-11-10 03:12 peter-endian Note Added: 0000638
2007-11-10 03:12 peter-endian Status new => feedback
2007-11-11 15:30 rainy Note Added: 0000639
2007-11-11 15:41 rainy Note Edited: 0000639
2007-11-28 15:58 raphael-endian Severity major => minor
2007-12-19 17:57 peter-endian Priority normal => none
2008-03-03 09:41 Anonymous Note Added: 0000943
2008-03-03 09:41 Anonymous Status feedback => confirmed
2008-03-03 10:21 Anonymous Note Edited: 0000943
2008-03-04 16:13 peter-endian Target Version => 2.2-rc1
2008-05-09 14:44 peter-endian Target Version 2.2-rc1 => 2.2
2008-05-26 15:41 peter-endian Target Version 2.2 => 2.3
2008-09-10 18:03 chris-endian Target Version 2.3 => future
2009-05-29 22:11 mike-f Note Added: 0002440
2009-06-03 17:25 peter-endian Status confirmed => new
2009-06-03 17:25 peter-endian Assigned To => raphael-endian
2009-06-03 17:25 peter-endian Note Added: 0002451
2009-06-10 16:01 peter-endian Assigned To raphael-endian =>
2009-06-11 20:32 mike-f Relationship added parent of 0000447
2010-01-21 19:28 peter-endian Severity minor => feature
2010-09-24 11:10 peter-endian Relationship deleted parent of 0000447
2010-09-24 11:10 peter-endian Status new => closed
2010-09-24 11:10 peter-endian Resolution open => fixed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker