fai-chboot

[Thomas Neumann]

hiya

> On Mon, 08 Mar 2010 18:08:12 +0100, Martin Schulte said:

>> Thomas told me, that the client calls 'fai-chboot' on the
>> install-server via ssh. [...] Where can i find the part of
>> the script, which handle this login?

> It's in lib/subroutines: task_chboot()

Is it just my imagination or is this routine an open invite for exploitation?

a) have/gain root-access on a client installed via fai
b) find out where the nfs-storage is
c) mount nfs-storage, gain access to private key
d) call fai-chboot for any host you (don't) like
e) wait for / force this host to reboot


I had a similar situation where I wanted to upload some file from a lot of
clients to a central host. After playing around a bit I found a nice way
to make sure a host can upload files only to a host-specific directory.
(And under no circumstances be able to overwrite other hosts' files.)
Maybe this helps making an attack / unfortunate mistake somewhat less
likely.


A different approach could be to write a little webscript which does
nothing else then wait for a request. If a request happens, then the
script does a sanity check against a list of "currently scheduled
installations". If the host making the request is found, update the
tftp-record for this server and remove it from the list. If not: ignore.

As it happens the implementation got scrapped due to time constraints. Our
low cost workaround resulted in
  - always boot host via pxe
  - a) fallthrough to local boot after a given timeout
  - b) someone with console access types "fai<return>", which results
       in an installation

Pro: Nothing bad can happen.
     (Console access is limited to a few trustworthy people.)
Contra: No completely unattended installation possible.


tschüß
thomas