Re: IBM WebSphere on UNIX security alert !

[Christer Palm <palm () nogui se>]

Tunkelo Heikki (extern) wrote:

>

> On default installation WebSphere installs itself to run with
> root-identity, and stores root password as a clear text to a file
> $WASROOT/properties/sas.server.props. The file has permissions 600,
> and therefore other users on system cannot access it.


This is not correct. The password (and user ID) stored in 
sas.server.props is in fact _NOT_ the system root password, but the user 
ID and password chosen at installation time for the Administration 
Server security.

However, I have seen far too many installations using 'root' and 
whatever the system root password is here. A related issue is using the 
instance owner ('db2inst1' by default in DB2) as the user ID to access 
the database. The security conscious should of course create separate 
non-privileged user identities for those. On the other hand, it's not 
surprising that people do these mistakes given the (IMHO) extremely poor 
documentation.

Whether or not it is wise to have WebSphere Application Server run as 
root is another issue that has been discussed ever since the release of 
WebSphere Application Server 3.x a few years ago (WebSphere Application 
Server 2.x used to run as 'nobody'), so that is really old news.

Unfortunately some functionality is lost when you run WebSphere 
Application Server under a non-privileged user ID. One can also discuss 
whether an installation tweaked to run under a non-privileged user ID is 
an IBM-supported configuration, and whether such a configuration is 
still potentially vulnerable.

IMHO, IBM should change it to run under a non-privileged ID by default.

--
Christer Palm