On Mon, 2011-11-21 at 15:44 +0100, Ondrej Valousek wrote:
On 11/21/2011 02:55 PM, Stephen Gallagher wrote:
> Granted, that's a bit of a contrived example, but as a rule I tend to
> feel that data like this should be configured centrally, rather than
> updated by clients. First rule of security: always assume your clients
> are malicious.
>
I see. I needed this purely for auditing computers on LAN - so no big
danger of malicious clients.
Even in your (indeed contrived) example could the malicious
application cause to disjoin machine from AD/IPA domain or perform DOS
attacks against the servers. Eventually:
1. Even if we agree that we will set it up once upon machine join, the
malicious client can change it any time later. So no big difference
here.
No, this is the entire point I was making. When you're joining the
machine, you're doing so with Administrator credentials, not machine
credentials. The privilege to change this value is not given to the
machine, so it cannot change them later.
2. Even Microsoft AD clients (AD member computers) do it this way I
believe.
I'm not in the business of making the same mistakes as Microsoft :)
I think in all cases you have to (to some extent) either trust your
clients to make damn sure that no user application can gain root
privileges. Even such a well perceived protocol like Kerberos can not
protect you against malicious root application running on your
desktop.
Right, exactly. That's why we don't allow the client to have the
privilege to make such changes. You need to somehow acquire
administrative privileges to change it instead. I'm not sure if AD
allows you this configuration (that's a separate discussion), but
trusting the client is inherently bad.
So, with all respect, I do not take your arguments.
No offense
taken.