	       Grid Software Vulnerability Group Security Advisory

-- Topic:      File systems allow user access to system files.
-- Date:       2006-11-29, updated 2007-07-31, 2007-10-18, revised 2010-08-17
-- ID:	       Grid Vulnerability Savannah bug #20192

-- Background

There are various grid Data Management systems that allow users to store
and access data files, such as CASTOR, dCache, DPM and StoRM.

-- Vulnerability Details

For some Data Management systems we are aware of the possibility of
system files to be downloaded by authorized users of those systems.


-- Updated 2007-10-18

For dCache, the latest version does not allow access to system files.

The Grid Security Vulnerability Group is also recommending sites still using
the Classic SE migrate to DPM.

-- updated 2010-08-17

Along with gLite 3.0 the Classic SE is no longer supported, but there still
are a few of them on the EGI infrastructure.

The latest DPM versions still give access to system files through the GridFTP
and RFIO protocols.

StoRM installations are also observed to allow such access.

The latest CASTOR versions allow for access to system files to be blocked,
and some (not all) CASTOR sites have that functionality enabled.

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group informs sites of this.  We recommend
that sites check the file protection on any sensitive system files,
and where possible set these to not be world readable.

The GSVG also recommends that Data Management system developers ensure that
the systems do not allow users to download files except those that are managed
by the Data Management system.

-- Component and Installation information.

No patches are available.

-- Precautionary measures or checks

Consider whether or not it is possible to change the file protection on some
of the more sensitive system files so that they are not world readable.

-- Other information

Although this was reported over 3 years ago, it is still an open issue.


-- Credit

This vulnerability was initially reported by Emidio Giorgio and Dario Russo


-- Disclosure Timeline
Yyyy-mm-dd

2006-09-29 Vulnerability reported by Emidio Giorgio
2006-11-29 Initial response from the Grid Security Vulnerability Group
2007-07-31 Public disclosure of advisory as disclosure has been agreed,
           Target Date has passed, and still not fixed
2007-10-18 Advisory updated as GSVG recommends no longer using the classic SE
           and this has been fixed for dCache
2010-08-17 Advisory updated - CASTOR allows such accesses to be blocked,
           issue also affects StoRM systems


-- References
 If applicable
==========================================================================