COMMAND

    Citrix Winframe

SYSTEMS AFFECTED

    Citrix Winframe client 3.x for Linux, Solaris

PROBLEM

    David Terrell found following. Presumably this holds true for  the
    other unix clients as well, but it was tested only on linux.   The
    Citrix  Winframe  linux  client  (used  for accessing Winframe and
    Windows NT  Server Terminal  Edition) has  a simple  configuration
    section.  Perhaps too simple....  All configuration information is
    stored in a directory /usr/lib/ICAClient/config which is mode 777.
    This in and of  itself is bad news,  since any user on  the system
    can overwrite configuration data.  The situation is actually  much
    worse than that.

    When you start  up the actual  session manager (wfcmgr)  you get a
    listbox of  configured sessions.   The data  for this  listbox  is
    stored in the mode 777 file  /usr/lib/ICAClient/config/appsrv.ini.
    So  there's  a  single  config  file  shared between all users.  A
    sample session profile follows:

        [WFClient]
        Version=1

        [ApplicationServers]
        broken=

        [broken]
        WinStationDriver=ICA 3.0
        TransportDriver=TCP/IP
        DesiredColor=2
        Password=0006f6c601930785
        Domain=NTDOM
        Username=user
        Address=hostname

    Yep.  Passwords are stored in  some kind of hash.  What  that hash
    is doesn't really  matter since you  can just bring  up wfcmgr and
    log in as that user.  Terrible.

    This all said it's true for the "newer" UNIX clients -- e.g.,  3.0
    for Solaris -- but  not for older ones  -- e.g., 2.6 for  Solaris.
    On the  newest version  (3.0.15) of  the ICA  Client for Linux and
    found some differences.   The /usr/lib/ICAClient dir  is now  mode
    755  which  is  good,  but  it  keeps  each  users  appsrv.ini  in
    ~/.ICAClient now, which is mode 755 too, so still anyone can  read
    the file.

    While  we're  on  the   matter  Andy  Polyakov  added   following.
    Background.  ICA client lets  you "mount" any UNIX directory  as a
    drive within any particular WinFrame/MetaFrame session.   Problem.
    Files created by Windows on such client-mapped drive appear to  be
    world-writable.  umask  doesn't  have  no  effect.  Tracing system
    calls made by the client reveals that all newly created files  are
    scrupulously chmoded  to 777.   Both 2.x  and 3.x  clients exhibit
    this behaviour.   No, it  doesn't mean  a compromise,  but one may
    find  it  totally  inappropriate  when  such  important   security
    description as access permissions on newly created files is  taken
    behind your back.



SOLUTION

    Workaround?   wfcmgr  supports  the  -icaroot  parameter,  but you
    basically  need  to  copy  all  the  files  in for it to work.  So
    duplicate the tree in your home directory, fix permissions, and do

        wfcmgr -icaroot $HOME/.ica

    You may not need to duplicate all files.  With older clients  it's
    possible to duplicate only  the files the user  has to be able  to
    change --  e.g., the  three .ini  files in  .../config --  and use
    symbolic links to the rest. Also consider using the older  clients
    and disabling the acceptance of the password at the server.  Since
    the  newer  clients  also  seem  to  fall  back  to a ~/.ICAClient
    sub-directory, it might be possible to delete the world-accessible
    directories and files (partial  success in test).   Alternatively,
    don't use it.

    Workaround for  Andy's problem  (for platforms  supporting dynamic
    linking) should  be following.   Compile following  "module" as  a
    shared object and make run-time linker preload it (e.g. by setting
    LD_PRELOAD       on       Linux       and       Solaris        and
    _RLD_LIST=${ICAROOT}/chmod.so:DEFAULT on IRIX).

        int chmod(){return 0;}

    Side effects. If you have version  3.x and a user runs the  client
    for the  very first  time, initial  config files  are copied  from
    ${ICAROOT}/config and they (files) inherit 444 access permissions.
    To  workaround  this  chmod  u+w  ${ICAROOT}/config/*  (files   in
    ${ICAROOT}/config are owner by root anyway).