ID Number: Q60430
2.00 2.10
OS/2
Summary:
The following are questions and answers about security issues that
pertain to OS/2 LAN Manager versions 2.0 and 2.1.
More Information:
1. Q. What security is available for LAN Manager API calls? For
example, I am able to modify a user's full name through an OS/2
server script issuing a NetUserSetInfo() call without being
logged on either at the workstation or by issuing a
NetWkstaSetUID() prior to (or even after) executing
NetUserSetInfo(). Also, I could not accomplish the same thing
through the NET USER command at the OS/2 prompt, as I received a
"system access denied" error. If this is the case, couldn't
someone who knows C and the APIs wreak havoc upon the system?
A. When a remote call is made to change any user account
information, the remote user must have admin privileges to make
changes in any account other than his/her own account.
Therefore, all user account information is protected from remote
users.
On the (local) server, any user can make a NetUserSetInfo() call
and make changes to a user account. If you need to secure your
server's user account system (UAS), you need to use local
security (run SECURESH.EXE). Alternatively, you can run "NET
CONSOLE", which does not let anyone other than the administrator
change the screen group, thereby securing the user account
system.
The Net Admin interface checks the privilege for you before you
can change any user account system.
2. Q. On an OS/2 server running LAN Manager 2.0 or 2.1 and local
security (SECURESH.EXE), will a background process that modifies
the UAS, without the process first issuing a NetWkstaSetUID2()
in order to log on (nobody is currently logged on the
workstation), be able to modify the UAS?
A. When nobody is currently logged on, the user/process has LOCAL
security. Therefore, if the LOCAL group has been granted RWX
privileges (as opposed to RX or R only privilege), the program
will modify the UAS.
The only way to stop a person or process from changing the UAS
is by not granting that person or process the W privilege. To do
this, give the USERS group (default group when you add a user
account) only the RX privilege for the LAN Manager tree (for
example, C:\LANMAN), and grant the W privilege only to limited
people for the LAN Manager tree as well.
3. Q. On an OS/2 server running LAN Manager 2.0 or 2.1 with no local
security, but with NET CONSOLE running, will a background
process that modifies the UAS, without the process first issuing
a NetWkstaSetUID2() in order to log on (nobody is currently
logged on the workstation), be able to modify the UAS?
A. Yes, a background process can change the UAS even when NET
CONSOLE is running.
4. Q. On an OS/2 server running LAN Manager 2.0 or 2.1 and local
security (SECURESH.EXE), will a background process that modifies
items outside the scope of the UAS (servers, shared resources,
print jobs, and so on) without the process first issuing a
NetWkstaSetUID2() in order to log on (nobody is currently logged
on the workstation), be able to modify these items?
A. You must prevent the person from launching a background process.
The following scenario explains why.
Suppose ADMIN is logged off. At this time, if a person named
TEST wants to log on, the RX privilege must be granted to the
LOCAL group for the LAN Manager and OS/2 tree (to be able to run
NET LOGON). Now, after TEST logs on, she launches a background
process that checks if it can change the UAS. TEST will receive
the 2199 error at this time, as the LOCAL group has only the RX
privilege and no W privilege. Therefore, he or she may
(Dos)Sleep() for a while and try again later.
Suppose that in the meantime, ADMIN returns and logs on (NET
LOGON). At this time, the background process will be able to
change the UAS. The current local user is ADMIN, who has all
privileges.
The only way to prevent this from happening is to not give any
privileges to the LOCAL group. Then, once ADMIN logs off, NOBODY
can access or run any programs, including NET LOGON. Thus, in
such a system, PRIVINIT.CMD (which is executed when the system
is booted) must look like the following:
net start server
net logoff
The administrator can put NET ADMIN in this command file as
well. However, he or she should set up the UAS once, and from
then on just use the server over the network. Should the
administrator later decide to change the UAS for accessing the
server locally or for some other reason, he or she can change
the UAS over the network by remote administration (NET ADMIN
\\<remote computer name>).
Such a server, then, becomes completely secure against any local
intrusion.
5. Q. On an OS/2 server running LAN Manager 2.0 or 2.1 with no local
security, but with NET CONSOLE running, will a background
process that modifies items outside the scope of the UAS (that
is, servers, shared resources, print jobs, and so on) without
the process first issuing a NetWkstaSetUID2() in order to log on
(nobody is currently logged on the workstation), be able to
modify these items?
A. You must look at specific APIs. However, in any case, the
background process can just wait until someone with ADMIN
privilege logs on. At this time, the background process can
execute any ADMIN level API as well as any other API.