[lots of stuff about SGI incompetence, especially with regards to security.]
I've recently been playing with our O2 too. I spotted the webdist.cgi problem
immediately (by luck, it was the first script I bothered to look at). The
presence of symlinks makes everything worse. There are dozens of them, some
going outside the /var/www area. These point to other places (eg /usr/demos)
with yet more links. I couldn't obviously find any that pointed to something
as daft as /, but I did verify from another host on our network that it's
possible to download SoftWindows95 from the O2 web server!
My initial idea for this was to disable external WWW access for now, and
complete removal later. (We'd like it available to localhost (bugs and all)
for a while just to have some fun with the demos :-)) Then I realised that I
can't figure out how to disable it. There's the ACL stuff in
/usr/ns-home/httpacl which apparently claims that the default is the deny
anyone and allow localhost. I don't understand the file format though so I'm
unsure of why this isn't working. The SGI documentation on such things simply
refers me to ns-admin.
So, I started ns-admin and connected to localhost:81. What a pile of cack - it
just doesn't work! I can't get anything out of it other than the message "this
requires netscape version 2 or above". It's just as well really as it had a
default account of admin with no password. So now we haven't only got to be
wary of which passwordless accounts they create in /etc/passwd, but in other
places too. As for the version mismatch - I was using SGIs own web browser
supplied on the system, so I simply put that down to bug ridden code.
The bugs continue from there. It's not only the WWW stuff. I have a problem
mounting NFS disks. I did my usual 'edit /etc/fstab' and cut and pasted my
standard lumps in there. "mount -vat nfs" verified that it worked. However
this isn't done on bootup. I haven't had time to see why yet, but I decided to
use the "official" way using the file system manager GUI. This simply told me
"The NFS subsystem is not installed on this machine". AGGHGH! If I get one
more stupid BUGGY error then it's going out the window.
I'm amazed by how SGI manage to "improve" upon their security holes with each
release. What's next - a GUI to solve those "forgotten root password" events?
Oh, sorry I forgot, they've already written that.
James
-- James Bonfield (jkb@mrc-lmb.cam.ac.uk) Tel: 01223 402499 Fax: 01223 213556 Medical Research Council - Laboratory of Molecular Biology, Hills Road, Cambridge, CB2 2QH, England. Also see Staden Package WWW site at http://www.mrc-lmb.cam.ac.uk/pubseq/