Grid Security Vulnerability Group - Advisory

-- Topic:          dCache runs as root
-- Date:           2010-07-22
-- ID:	           Grid Vulnerability Savannah bug #45212

-- Background

dCache is one of the Mass Storage systems commonly used in EGEE production
environments [1].

-- Vulnerability Details

dCache runs as root.  While this is not exploitable in itself, the potential
impact of other vulnerabilities, if any, would be reduced when the services
run under less-privileged accounts.

-- Grid Security Vulnerability Group Response

While this matter has not been formally assessed, it is preferable that
middleware does not run as root, if possible. 


-- Component and Installation information

The version of dCache released on 2010-07-21 as part of gLite 3.2 patch 15
still runs as root.

Versions of dCache which do not necessarily run as root are available,
but not yet as part of gLite.  For more information on dCache see [1].


-- Precautionary measures or checks

Sites should be aware of this.

-- Other information

Versions of dCache which do not necessarily run as root are available,
but not yet as part of gLite.  For more information on dCache see [1].

-- Credit

This vulnerability was initially discussed by Kostas Georgiou and reported
to GSVG by Stephen Burke.


-- Disclosure Timeline
Yyyy-mm-dd

2006       Vulnerability reported after discussion on some mailing lists
2008-12-10 Vulnerability separated from multiple issue vulnerability 14923 on
           request of the developers.
2010-07-22 Advisory drafted to clarify the current situation and status
2010-07-22 Public disclosure

-- References

[1] dCache home page:
http://www.dcache.org/index.shtml


==========================================================================