000030174 - AM 8.1 SP1 SuSE Linux useradd on VM creates . <dot> relative path vulnerability

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030174
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: SecurID Appliance
RSA Version/Condition: 8.1.0, 8.1 SP1
Platform: SuSE Linux
Platform (Other): This is in reference to the RSA SecurID appliance directly.
 
IssueCustomer's Policy called for vulnerability SCAN tool to use its own Operating System Account or Service Account in Linux, instead of the RSA AM default OS account created during VM deployment.  When customer used the useradd command in Linux to create this service account, 
This same account then was flagged with "unix-dot-entries-in-root-path" vulnerability
  login as: rsaadmin 
  rsaadmin@am8p:~> sudo su - 
  rsaadmin's password: 
  am8p:~ # useradd baduser 
  am8p:~ # su - baduser 
  su: warning: cannot change directory to /home/baduser: No such file or directory 
  baduser@am8p:/root> echo $PATH 
  /usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/games:/usr/lib/mit/bin:/usr/lib/mit/sbin:. 
useradd
 
CauseThe useradd utility in the VM version of SuSE Linux 11 in Authenticaiton Manager 8.1 SP1 places the . <dot> relative path in the service account.
ResolutionRemove the . <dot> relative path from this user service account by editing the SuSEconfiguration file /etc/sysconfig/suseconfig and locate the param CWD_IN_USER_PATH
then change 
    CWD_IN_USER_PATH="yes"
to 
    CWD_IN_USER_PATH="no"
CWDUserPath
This will be evaluated by /etc/profile.d/profile.sh so that the . <dot> will no longer be added to PATH when any OS user logs in, even users already created with useradd. 
The rsaadmin Operating System account created during VM deployment does not have this . <dot> relative path
rsaadmin PATH
WorkaroundUse the Operating System account  created during VM deployment (i. e., rsaadmin).
This is not something that is explained or supported with the Authentication Manager software, as RSA assumes there will be just one operating system account that was created at deployment and which does not have the . in the path.
NotesWe did not see this behavior in the Dell Appliance Authentication Manager 8.1 SP1 SuSE Linux version of useradd
Note: using useradd to modify the Authentication Manager softwre is not supported, has not been tested and may have unintended results, as seen by the default behavior which creates a vulnerability.

Attachments

    Outcomes