Skip links

VMware insecure file creation

If you are using the free VMware server on Linux, beware that the installer is creating files with insecure permissions, allowing any user to modify them.

I downloaded the latest VMware server (VMware-server-2.0.2-203138.i386) and followed the step-by-step installation script. After it was completed, OSSEC (always to the rescue) sent me a bunch of alerts about new insecure files:

File ‘/usr/lib/vmware/hostd/docroot/print.css’ is owned by root and has written permissions to anyone.
File ‘/usr/lib/vmware/hostd/docroot/client/clients.xml’ is owned by root and has written permissions to anyone.
File ‘/usr/lib/vmware/hostd/docroot/sdk/vim.wsdl’ is owned by root and has written permissions to anyone.
File ‘/usr/lib/vmware/hostd/docroot/sdk/vimService.wsdl’ is owned by root and has written permissions to anyone.
File ‘/usr/lib/vmware/hostd/docroot/sdk/vimServiceVersions.xml’ is owned by root and has written permissions to anyone.
File ‘/usr/lib/vmware/hostd/docroot/error-32×32.png’ is owned by root and has written permissions to anyone.

And these are just some of them. Everything under /usr/lib/vmware was created with 777 permissions (open for anyone to read and modify), including the vmware-server-distrib and other directories.

So, if you run vmware on a system that someone else have normal user access, you might want to “chmod -R o-rwx” to avoid problems.

*just verified on another system, with the same effect. Tried on Ubuntu 9.04 and CentOS 5.3
*My umask is set properly as 0022.

  • Anonymous

    I just installed on vmware 2.0.2 on centos 5.4, I don't have that problem.