IC5Notice: We have upgraded developerWorks Community to the latest version of IBM Connections. For more information, read our upgrade FAQ.
Topic
  • 7 replies
  • Latest Post - ‏2013-06-07T09:54:38Z by GKellner
Cleardoctor
Cleardoctor
20 Posts

Pinned topic users are hacking the clearcase pvob?

‏2013-05-17T01:20:44Z |

Any users can hack the vob using the following command. Is there anyway we can prevent users to use the following command?

cleartool unregister -vob -uuid c8b329ed.60814357.9806.26:55:85:75:e2:bf

 

  • Dave-Robinson
    Dave-Robinson
    116 Posts

    Re: users are hacking the clearcase pvob?

    ‏2013-05-17T02:29:33Z  

    Why would anyone want to do that?

    Unlike tags, you cannot protect register / unregister by the registry password - there is an RFE but I have not heard of it getting implemented.

    What you CAN do is check the ALBD log on the registry server and find out who did it, and sack  discipline them !!

    M:\djr_default\myperl>cleartool unregister -vob -uuid eee791f8.946d44fc.9045.b3:4e:ab:5e:3c:2a
    M:\djr_default\myperl>cleartool getlog -last 1 albd
    =============================================================================
    Log Name: albd                  Hostname: ccrgysvr Date: 2013-05-17T12:17:51+10:00
    Selection: Last 1 lines of log displayed
    -----------------------------------------------------------------------------
    2013-05-17T12:17:34+10:00 albd_server(3472): 197608.197121@clienthost17 removed: -entry=vob_object;-hostname=ccvobsvr;-local_path=C:\ClearCase_Storage\VOBs\DJR_pvob.vbs;-vob_replica=eee791f8.946d44fc.9045.b3:4e:ab:5e:3c:2a;-vob_family=ebbd36e5.96b14ca9.876f.3a:b0:b2:d4:e5:c3;-attributes=sumvob;
    =============================================================================
    M:\djr_default\myperl> ...\etc\utils\creds -u 197608

    ClearCase user info:
        Name: ...
        UID:  0x303e8 SID credentials: ...
        Primary group: ...
        GID:  0x30201 SID credentials: ...
        Home:

  • omalecot
    omalecot
    344 Posts

    Re: users are hacking the clearcase pvob?

    ‏2013-05-17T22:16:27Z  

    This is just terrible, but IBM will not do anything about it.

    Olivier

     

     

     

  • brcowan
    brcowan
    727 Posts

    Re: users are hacking the clearcase pvob?

    ‏2013-05-24T20:50:58Z  

    Unfortunately, it's a non-trivial operation to change such a core protocol (registering and unregistering vobs and views).

    At this point, David's suggestion is probably the best option, but there is the possibility that the users in question don't know that something is running on their machines to unregister VOBs. Enough people leave their desktops unlocked when they leave their desks that there could easily be a "window" that allows someone to get into (for example) the windows "scheduled job" control panel and add something that fires at user login/logout.

    This is more akin to a DOS attack then major "hacking." Not that there is effectively much difference. Your best bet to stop this is to check out the albd log as David described.

  • omalecot
    omalecot
    344 Posts

    Re: users are hacking the clearcase pvob?

    ‏2013-05-25T21:50:14Z  

    Hi Brian,

    Vob tag is controled with registry password, but this is nonsense because vob storage registration is not controled ! ct+rmview is controlled with view ownership, but this is nonsense because view tag is not controled, and view storage registration is not controled. This is just not consistent - and not secured.

    Why should it be so difficult to change the software in order to add enough security to the registry management ? I don't think this is so difficult. ClearCase is an expensive tool, and IBM should answer this kind of need for security.  Security should also be added in order to get a real control on the management of regions.

    There was not any real modification in the registry management since twenty years. The fact is : with just a simple account, anybody can remove anything from registry - don't you think that twenty years are not enough to correct this?

    Please imagine a build taking 10 hours, imagine that someone removes the vob registration after 9 hours of build, knowing that this is the new software version, that it has to be installed and presented to the customer tomorrow? What will the company managers think of the ClearCase tool, that is not able to protect the build process when the company activity is so critical?

    In my opinion, many issues like this should have been solved since a long time. Look, for example, after twenty years, ClearCase is still not able to filer identical versions for directories.

    Regards
    Olivier

  • GKellner
    GKellner
    259 Posts

    Re: users are hacking the clearcase pvob?

    ‏2013-05-27T10:01:22Z  

    Where is the problem?

    cleartool register -vob will "recreate" the VOB.

    No data loss, no data corruption.

    greetings georg.

  • Dave-Robinson
    Dave-Robinson
    116 Posts

    Re: users are hacking the clearcase pvob?

    ‏2013-06-06T04:29:05Z  

    In response to Georg,

    The problem is in the time lost with VOBs inaccessible while determining what the problem is, and that "cleartool register" is the simple fix.

     

    More generally to thread participants,

    The RFE community and live forums at conferences like Innovate are the channels by which to let Product Management know how important this is to you.

    Here are 3 RFEs that have been raised in the past about security of the registry.

    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=4754

    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=2086

    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=1814
     

     

  • GKellner
    GKellner
    259 Posts

    Re: users are hacking the clearcase pvob?

    ‏2013-06-07T09:54:38Z  

    In response to Georg,

    The problem is in the time lost with VOBs inaccessible while determining what the problem is, and that "cleartool register" is the simple fix.

     

    More generally to thread participants,

    The RFE community and live forums at conferences like Innovate are the channels by which to let Product Management know how important this is to you.

    Here are 3 RFEs that have been raised in the past about security of the registry.

    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=4754

    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=2086

    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=1814
     

     

    Hi Dave,

    I'm CC admin for ten years, having a site with 1.500 users and 600 VOBs.
    We never had an issue with a VOB unregistered by an user.

    So it seems to me as this is a theoretical problem.

     

    greetings georg.