David Terrell writes (in part): > > [ presumably this holds true for the other unix clients as well, but > all I have is linux to test on ] It's true for the "newer" UNIX clients -- e.g., 3.0 for Solaris -- but not for older ones -- e.g., 2.6 for Solaris. > The Citrix Winframe linux client (used for accessing Winframe and > Windows NT Server Terminal Edition) has a simple configuration section. > Perhaps too simple.... All configuration information is stored in a > directory /usr/lib/ICAClient/config which is mode 777. This in and > of itself is bad news, since any user on the system can overwrite > configuration data. We have refused to install the Solaris 3.0 client for this reason and have opened a case with Citrix about this and other objectionable aspects (non-security ones). Those who have Citrix support contracts, the case number is 23117500, and you're welcome to join your complaints to ours. > The situation is actually much worse than that. > > When you start up the actual session manager (wfcmgr) you get a listbox > of configured sessions. The data for this listbox is stored in the mode > 777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single > config file shared between all users. A sample session profile follows: > > ... > > Yep. Passwords are stored in some kind of hash. What that hash > is doesn't > really matter since you can just bring up wfcmgr and log in as that user. It can be made not quite that easy. The administrative controls on the server end allow you to disable acceptance of any stored passwords. That has always been true, and we have always done that, no matter where the clients were designed to store passwords. Of course, that doesn't mean people can't try to store passwords -- it just means they won't be usable. > Terrible. Yes, the newer Citrix clients are most unlikable. > I tried mailing both supportat_private and securityat_private but > neither of these addresses exist. The best you can do without a support contract is post a complaint to their "forum," reachable via www.citrix.com. > Workaround? wfcmgr supports the -icaroot parameter, but you basically > need to copy all the files in for it to work. So duplicate the tree in > your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica. You may not need to duplicate all files. With older clients it's possible to duplicate only the files the user has to be able to change -- e.g., the three .ini files in .../config -- and use symbolic links to the rest. > Alternatively, don't use it. Also consider using the older clients and disabling the acceptance of the password at the server. Since the newer clients also seem to fall back to a ~/.ICAClient sub-directory, it might be possible to delete the world-accessible directories and files. I've been able to do that, but only with partial success. > Distressing that the company that was "bringing multiuser > concurrent logons > to Windows NT" makes such a little effort at understanding multiuser > security.... [further editorialization left to the reader] I believe Citrix tried to make it easier for people to generate their own configurations and didn't understand the security implications of what they were doing. It's too bad they so sadly compromised the secure use of their reasonably good product.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:35 PDT