Bugtraq mailing list archives
Re: Globetrotter FlexLM 'lmdown' bogosity
From: nneul () UMR EDU (Nathan Neulinger)
Date: Mon, 28 Sep 1998 08:11:52 -0500
I should have sent this in my first reply, but all you need to do is add the "-x lmdown" and "-x lmremove" options to the command line when you start lmgrd. That disables the feature. -- Nathan On Sun, Sep 27, 1998 at 11:33:32AM -0700, Kemasa wrote:
From: Valdis.Kletnieks () VT EDU ... Well, here's an oldie but goodie, which we first saw at least 3 years ago. Lo and behold, it's apparently STILL broken. Sorry, no vendor notification - we told them 3 years ago. ;) FlexLM 'lmdown' command will chow your license server from anywhere on the Internet - all you need is a copy of the license file. The authentication appears to be "Well, you appear to be root on the machine that you typed 'lmdown' on".Have you looked at the switch options for lmgrd? If you had you would find that there is an option to limit the ability to take down the license daemons to a specific group, which basically stops what you are talking about. I think it is also possible to completely ignore a lmdown command since it would be possible to try all possible group ids. It is a bit of a problem that they set it up that way by default and since you need not run it as root, you should change the owner to something else, change the options and a clean up the way the log files work. You DO have the option of changing the functionality though, so you really can't blame them for your not looking at the man pages on the program. Kemasa.
------------------------------------------------------------ Nathan Neulinger EMail: nneul () umr edu University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216
Current thread:
- Globetrotter FlexLM 'lmdown' bogosity Valdis.Kletnieks () VT EDU (Sep 25)
- Re: Globetrotter FlexLM 'lmdown' bogosity Nathan Neulinger (Sep 25)
- Root exploit for SCO OpenServer. Leshka (Sep 26)
- <Possible follow-ups>
- Re: Globetrotter FlexLM 'lmdown' bogosity Kemasa (Sep 27)
- Re: Globetrotter FlexLM 'lmdown' bogosity Nathan Neulinger (Sep 28)