[sle-beta] UUDI not tested - Wrong Hostname updated --cleanup

Waite, Dick (External) Dick.Waite at softwareag.com
Tue Mar 13 00:11:04 MDT 2018

Last word and then I shut up...

You can not update / write to a database / registry without any check that the caller is entitled to update / write that field. Even a Hostname check would be better that nothing. The  --cleanup option will be forgotten at some time by someone and then that lowly clone is going to update the SCC of a valuable Mother or maybe even a queen.

If the customer has forgotten the --cleanup and left the hostname the same as mother then you have done your due diligence. I expect in this case it's an deliberate attack to cause the site issues.

That's it.....now I can sleep at night ;o)

From: Hernán Schmidt [hschmidt at suse.de]
Sent: 12 March 2018 14:53
To: Waite, Dick (External); 'sle-beta at lists.suse.com'
Cc: 'Vincent Moutoussamy'; jsrain at suse.cz; Kay Tate; Christophe Le Dorze
Subject: Re: UUDI not tested - Wrong Hostname updated --cleanup

Hi Dick,

Thanks for the write up and the suggestion.

> Why not use the machines UUID as the SCC USERNAME, then you are sure
> to be sure your talking to who you think you are, well better than
> now.

Yes, that would be a good solution. Unfortunately, SUSEConnect needs to
work on a large variety of devices, and we found that a large portion
of devices do not provide a UUID. To keep things simple for all cases,
we decided to generate a system "login" which gets saved to the
filesystem (the SCCcredentials file).
For that reason it's necessary to call --cleanup on the cloned system,
or alternatively, call --cleanup on the original system before saving
the snapshot, so that all clones are "clean" already.

Best regards,
Hernán Schmidt
SUSE Customer Center

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)

Software AG – Sitz/Registered office: Uhlandstraße 12, 64297 Darmstadt, Germany – Registergericht/Commercial register: Darmstadt HRB 1562 - Vorstand/Management Board: Karl-Heinz Streibich (Vorsitzender/Chairman), Eric Duffaut, Dr. Wolfram Jost, Arnd Zinnhardt, Dr. Stefan Sigg; - Aufsichtsratsvorsitzender/Chairman of the Supervisory Board: Dr. Andreas Bereczky - http://www.softwareag.com

More information about the sle-beta mailing list