From: Rene (l0omexcluded.org)
Date: Tue Jan 06 2004 - 01:33:09 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Lotus Notes Domino 6.0.2 (linux)
  
for the installation it is recommended to add a new
user like "notes". after this you should log in as
root install the services. well, after i have done
this i have noticed the following.
  
there are faulty default permissions for the
important configuration file
 /local/notesdata/notes.ini rw-rw-rw- notes notes
  
 ##############################################
 by the way
 /opt/lotus/LPSilent.ini rw-rw-rw- notes notes
  
 cat /opt/lotus/LPSilent.ini | grep REM
 REM This is the silent install ini configuration
file.
 REM Please do not modifiy this file unless you are
sure of what you are doing....
  
 pleeeeaaaase do not modifiy it :)
 ##############################################
  
 because we are able to modify the notes.ini which is
a very important
 configuration file , we are able to simply delte,
add or modify keys.
 here is a great list of all nice keys we could add
or modify
 http://www.drcc.com/A55711/ref/notesini.nsf
  
 we could modify the CleanupScirptPath to a binary in
our $HOME which could
 for example spawns a suid shell next time when its
executed.
  
 we could change the
 NotesProgram=/opt/lotus/notes/60020/linux
 to some directory in our $HOME which includes links
to the needed
 binarys to start the services in the ServerTask key.
Then we add a new
 ServerTask - lets say "Router". Notes will try to
find a binary in our
 faked directory called "router" which could spawn a
suid shell for us.
  
the notes services will start as the user
"notes" (this is recommended), which is able to view
sensetive files or start and stop the services...
 
me thinks the notes install routine should always
chmod such files automatic for security reasons.
  
by l0om
www.excluded.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]