82 lines
3.0 KiB
Plaintext
82 lines
3.0 KiB
Plaintext
|
|
||
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
||
|
|
|
||
|
|
|
||
|
|
CA-89:02
|
||
|
|
CERT Advisory
|
||
|
|
July 26, 1989
|
||
|
|
Sun Restore Hole
|
||
|
|
- -----------------------------------------------------------------------------
|
||
|
|
|
||
|
|
A security hole has been found in SunOS restore. This problem affects
|
||
|
|
SunOS 4.0, 4.0.1, and 4.0.3 systems. It does not appear in SunOS 3.5.
|
||
|
|
The problem occurs because restore is setuid to root. Without going
|
||
|
|
into details, is sufficient to say that this is a serious hole. All
|
||
|
|
SunOS 4.0 installations should install this workaround. Note that a
|
||
|
|
user does need to have an existing account to exploit this hole.
|
||
|
|
|
||
|
|
There are two workarounds that will fix the problem. The first is
|
||
|
|
slightly more secure but has some side-effects.
|
||
|
|
|
||
|
|
1) Make restore non-setuid by becoming root and doing a
|
||
|
|
chmod 750 /usr/etc/restore
|
||
|
|
|
||
|
|
This makes restore non-setuid and unreadable and unexecutable by
|
||
|
|
ordinary users.
|
||
|
|
|
||
|
|
Making restore non-setuid affects the restore command using a remote
|
||
|
|
tape drive. You will no longer be able to run a restore from another
|
||
|
|
machine as an ordinary user; instead, you'll have be root to do so.
|
||
|
|
(The reason for this is that the remote tape drive daemon on the
|
||
|
|
machine with the tape drive expects a request on a TCP privileged
|
||
|
|
port. Under SunOS, you can't get a privileged port unless you are
|
||
|
|
root. By making restore non-setuid, when you run restore and request
|
||
|
|
a remote tape drive, restore won't be able to get a privileged port,
|
||
|
|
so the remote tape drive daemon won't talk to it.)
|
||
|
|
|
||
|
|
2) If you do need to have some users run restore from remote tape
|
||
|
|
drives without being root, you can use the following workaround.
|
||
|
|
|
||
|
|
cd /usr/etc
|
||
|
|
chgrp operator restore
|
||
|
|
chmod 4550 restore
|
||
|
|
|
||
|
|
This allows the use of restore by some trusted group. In this case,
|
||
|
|
we used the group 'operator', but you may substitute any other group
|
||
|
|
that you trust with access to the tape drive. Thus, restore is still
|
||
|
|
setuid and vulnerable, but only to the people in the trusted group.
|
||
|
|
|
||
|
|
The 4550 makes restore readable and executable by the group you
|
||
|
|
specified, and unreadable by everyone else.
|
||
|
|
|
||
|
|
Sun knows about this problem (Sun Bug 1019265) and will put in a more
|
||
|
|
permanent fix in a future release of SunOS.
|
||
|
|
|
||
|
|
- -----------------------------------------------------------------------------
|
||
|
|
|
||
|
|
Computer Emergency Response Team (CERT)
|
||
|
|
Software Engineering Institute
|
||
|
|
Carnegie Mellon University
|
||
|
|
Pittsburgh, PA 15213-3890
|
||
|
|
|
||
|
|
Internet: cert@cert.org
|
||
|
|
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
|
||
|
|
7:30a.m.-6:00p.m. EST, on call for
|
||
|
|
emergencies other hours.
|
||
|
|
|
||
|
|
Past advisories and other information are available for anonymous ftp
|
||
|
|
from cert.org (192.88.209.5).
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
-----BEGIN PGP SIGNATURE-----
|
||
|
|
Version: 2.6.2
|
||
|
|
|
||
|
|
iQCVAwUBMaMwZXVP+x0t4w7BAQGiaQQA1ib9IUEtKhe0/tslUMaw+CQBGN0kug/o
|
||
|
|
RQva7hQdmFc9qMbqdozTBWl1HAnRXdwhw0fiKAplgq9ZVDcx1DYrc33tcRZLV/2E
|
||
|
|
qeALCmoo8iuGayqW3UKSAURLida++YmIIpslrAn7+AD7rOylXaFWGQ4aV92mkxSe
|
||
|
|
Mj5mk4aT0tQ=
|
||
|
|
=zc0n
|
||
|
|
-----END PGP SIGNATURE-----
|
||
|
|
|