[UNIX] Lotus Notes Domino Insecure Default Permissions
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 7 Jan 2004 15:18:32 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Lotus Notes Domino Insecure Default Permissions
During installation of Lotus Notes Domino under a Linux operating system,
the installation program neglects to properly set the settings for Lotus
Notes critical files (notes.ini and LPSilent.ini).
* Lotus Notes Domino version 6.0.2 (Linux)
During the installation process, it is recommended to add a new user
(notes). After this, you should log in as root and install the services.
The installation process neglects to properly set the permission settings
of two sensitive files:
/local/notesdata/notes.ini rw-rw-rw- notes notes
/opt/lotus/LPSilent.ini rw-rw-rw- notes notes
This is file is used by the silent installation program. If modified, an
attacker could cause the installation process to execute arbitrary
commands/files, install backdoors, etc.
Notes.ini, as the LPSilent.ini, is a very sensitive file that contains a
lot of sensitive configuration information on the Lotus Notes server, and
modifying it will affect the behavior of the server. For a list of
keywords and a description of them (keywords that can be used inside the
notes.ini file) see: <http://www.drcc.com/A55711/ref/notesini.nsf>
We could modify the CleanupScirptPath to a binary in our $HOME which could
for example spawns a suid shell next time when its executed.
We could change the NotesProgram=/opt/lotus/notes/60020/linux to some
directory in our $HOME which includes links to the needed binaries to
start the services in the ServerTask key.
We could add a new ServerTask - lets say "Router". Notes will try to find
a binary in our faked directory called "router" which could spawn a suid
shell for us.
You also note that the Lotus Notes services starts as the user "notes" (as
recommended), which is able to view sensitive files or start and stop the
The information has been provided by <mailto:email@example.com> Rene.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.