134 lines
5.5 KiB
Plaintext
134 lines
5.5 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
- -----------------------------------------------------------------------------
|
|
CA-93:03 CERT Advisory
|
|
February 3, 1993
|
|
SunOS File/Directory Permissions
|
|
- -----------------------------------------------------------------------------
|
|
|
|
The default permissions on a number of files and directories in SunOS
|
|
4.1, 4.1.1, 4.1.2, and 4.1.3 are set incorrectly. These problems are
|
|
relevant for the sun3, sun3x, sun4, sun4c, and sun4m architectures.
|
|
They have been fixed in SunOS 5.0. (Note that SunOS 5.0 is the operating
|
|
system included in the Solaris 2.0 software distribution.)
|
|
|
|
An updated patch to reset these permissions is available from Sun.
|
|
CERT has seen an increasing number of attackers exploit these problems
|
|
on systems and we encourage sites to consider installing this patch.
|
|
|
|
- -----------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
File permissions on numerous files were set incorrectly in the
|
|
distribution tape of 4.1.x. A typical example is that a file which
|
|
should have been owned by "root" was set to be owned by "bin".
|
|
|
|
Not all sites will need or want to install the patch for this problem.
|
|
The decision of what user id should own most system files and
|
|
directories depends on the administrative practices of the site.
|
|
It is quite reasonable to run a system where the majority
|
|
of files are owned by "bin" as long as the entire system is run in
|
|
a manner consistent with that practice. As distributed, the SunOS
|
|
configuration expects most system files to be owned by "root".
|
|
The fact that some are not creates security problems.
|
|
|
|
Therefore, sites that are running the SunOS versions listed above
|
|
as distributed should install the patch described below.
|
|
Sites that have made an informed choice to configure their system
|
|
differently may instead want to review the patch script and
|
|
consider which, if any, of the changes should be made on their system.
|
|
|
|
II. Impact
|
|
|
|
Depending on the specific configuration of the local site,
|
|
the default permissions may allow local users to gain "root" access.
|
|
|
|
III. Solution
|
|
|
|
1) Sun has provided a script to reset file and directory permissions
|
|
to their correct values. The script is available in Sun's
|
|
Patch #100103 version 11. This patch can be obtained via
|
|
local Sun Answer Centers worldwide as well as through
|
|
anonymous FTP from the ftp.uu.net (137.39.1.9) system
|
|
in the /systems/sun/sun-dist directory.
|
|
|
|
Patch ID Filename Checksum
|
|
100103-11 100103-11.tar.Z 19847 6
|
|
|
|
Please note that Sun Microsystems sometimes updates patch files.
|
|
If you find that the checksum is different please contact
|
|
Sun Microsystems or CERT for verification.
|
|
|
|
2) Uncompress the file, extract the contents of the tar archive,
|
|
and review the README file.
|
|
|
|
% uncompress 100103-11.tar.Z
|
|
% tar xfv 100103-11.tar
|
|
% cat README
|
|
|
|
3) This patch will reset the group ownership of certain files to
|
|
either "staff" or "bin". Make sure you have entries in
|
|
the "/etc/group" file for these accounts.
|
|
|
|
% grep '^staff:' /etc/group
|
|
% grep '^bin:' /etc/group
|
|
|
|
If you do not have both of these you will need to either add the
|
|
missing account(s) or modify the patch script (4.1secure.sh)
|
|
to reflect group ownerships appropriate for your site.
|
|
(Note that the security problems are fixed by the ownerships and
|
|
mode bits specified in the patch - not by the group ownerships.
|
|
Therefore, changing the group ownerships does not invalidate
|
|
the patch.)
|
|
|
|
4) As "root", run the patch script.
|
|
|
|
# sh 4.1secure.sh
|
|
|
|
This patch fixes Sun BugId's 1046817, 1047044, 1048142, 1054480,
|
|
1037153, 1039292, and 1042662.
|
|
|
|
5) The patch script will set "/usr/kvm/crash" to mode 02700 owned
|
|
by "root". While this is not insecure, since only "root" can run
|
|
the program, CERT recommends that the setgid bit be removed to
|
|
prevent abuse if world execute permission were to be added
|
|
some time later.
|
|
|
|
As "root", make "/usr/kvm/crash" not a set-group-id program.
|
|
|
|
# chmod 755 /usr/kvm/crash
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
If you believe that your system has been compromised, contact the CERT
|
|
Coordination Center or your representative in FIRST (Forum of Incident
|
|
Response and Security Teams).
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 (24-hour hotline)
|
|
CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
|
|
on call for emergencies during other hours.
|
|
|
|
CERT Coordination Center
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Past advisories, information about FIRST representatives, and other
|
|
information related to computer security are available for anonymous FTP
|
|
from cert.org (192.88.209.5).
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMxIHVP+x0t4w7BAQE9mAP9GvBbaHTdAsxx6WJYXukBnpjK4OlD0nan
|
|
y6ZGLhAl0x/DBwIlXqmvDMUjWD+HHxpDrz0/u4aHENcS1ut/dyqXdctmvXL3m2Ms
|
|
NRq7kdKj5ovmVjAkbmvx15WgR2F15kDVAlW7DppLNGVmOid9IT11whtRono88sHX
|
|
iZC81A3Yweo=
|
|
=FKSh
|
|
-----END PGP SIGNATURE-----
|
|
|