X-RDate: Thu, 22 Jan 1998 12:37:17 +0500 (ESK)
Date: Mon, 12 Jan 1998 15:56:18 -0800
From: CPIO Advisory Role Account <[email protected]>
To: [email protected]Subject: BoS: CPSN 9:971208: Solaris /var Permission Problems
**************** CPIO Security Notice ****************
Issue Number 9: 971208
Topic: Solaris /var Permission problems
Platforms: Solaris 2.5.1, 2.6 / SPARC; possibly 2.5.
Severity: Common Sense Caution
**** http://www.darpanet.net ****
Both Solaris 2.5.1 and Solaris 2.6 leave remarkably exploitable
permissions on files and directories in /var after a default install.
After patch installs, many of these highly insecure permissions still
exist. Others may have noticed this behaviour, but no one at CPIO has
yet seen it summarized or published. As a result, few administrators
seem to be aware of this problem. There are public-domain scripts
that fix at least some of the permissions in question.
Careful examination of both operating systems (running find(1) :) )
on sun4c, sun4m, and sun4u platforms yielded the following results.
Solaris for x86 platforms may be similarly affected. After checking
all machines with the same set of commands, we have found the
following permission problems with these files:
Solaris 2.5.1:
/var/adm/vold.log (mode 666, root:root)
/var/adm/spellhist (mode 666, bin:bin)
/var/adm/messages (mode 666, root:other) NOTE: this is the
first set of permissions on this
file. newsyslog fixes this during
the archive process.
/var/adm/log/asppp.log (mode 666, root:root)
/var/news (directory, mode 777, bin:bin)
/var/log/syslog (mode 666, root:other) On initial install,
this is 664, but when rolled over,
becomes 666. Patch 104613 fixes this.
/var/log/sysidconf.log (mode 777, root:other)
/var/sadm/install/.pkg.lock (mode 666, root:root)
/var/spool/lp/fifos/FIFO (mode 666, lp:lp)
/var/lp/logs/lpsched (mode 666, root:root)
/var/lp/logs/lpNet (mode 666, root:root)
/var/preserve (directory, mode 777, bin:bin)
/var/spool/pkg (directory, mode 777, bin:bin)
Solaris 2.6:
/var/adm/vold.log (mode 666, root:root)
/var/adm/spellhist (mode 666, bin:bin)
/var/log/sysidconf.log (mode 777, root:other)
/var/saf/_log (mode 666, root:root)
/var/dmi/db/1l.comp (mode 666, root:root)
/var/dmi/db/1l.tbl (mode 666, root:root)
/var/snmp/snmpdx.st (mode 666, root:root)
/var/snmp/snmpdx.st.old (mode 666, root:root)
PATCHES AND FIXES
Some patches fix some problems-- patch 104613 fixes the
/var/log/syslog problem on 2.5.1.
In addition, Casper Dik has a program called "fix-modes" which is
available from ftp://ftp.wins.uva.nl/pub/solaris/
This fixes many of the descrepancies detailed here.
CREDITS
Contributed by Gale Pedowitz. Jonathan Katz compiled the final bad
permissions lists.
Gale Pedowitz <[email protected]>
Jonathan Katz <[email protected]>
Date: Tue, 13 Jan 1998 12:43:06 -0700
Reply-To: [email protected]
Sender: avalon
>From: Randy Mikesell <[email protected]>
Subject: Re: Correction: CPSN 9:971208: Solaris /var Permission Problems
X-To: MATTHEW POTTER <[email protected]>
To: [email protected]
In-Reply-To: <[email protected]>
Approved: [email protected]
X-Originally-To: To: [email protected]
X-Originated-From: From: CPIO Advisory Role Account <[email protected]>
Be careful on what you suggest. The last I heard, even Sun does not
recommend that you run ASET in high. I know of more than one box that
was trashed because the SA set ASET to high. It is a long and painfull
process to restore the system after ASET is finished with it. It may be
better to keep up on the patches and run scripts or other tools to keep
track of the permissions.
Randy Mikesell
DMCO Mid-Tier ISSO
[email protected]
801-777-3282 ext. 3203 DSN 777
On 13-Jan-98 MATTHEW POTTER wrote:
> Hi,
>
> This affects 2.3, 2.4, and 2.5 , 2.5.1, 2.6 SPARC and x86(NOT JUST
> 2.5(1) and 2.6 SPARC), any user can fill var(stopping local logging,
> causing all kinds of problems etc..) or put a rogue package in
> /var/spool/pkg then the admin unsuspectingly just does a pkgadd and
> dosent verify his or her packages, this can lead to root compromise, I
> think this bug is widley known. Run ASET(SUNWast) at the highest
> level, this is good procedure for any solaris box before it goes on a
> network as well as running fixmodes. ASET helps permissions from
> drifting to a lower privlage level(it seems in solaris if you dont run
> any type of perm changing program permissions seem to get progressivly
> worse over time). As well as patching 2.5.1 and prior, for the
> /usr/lib/newsyslog bug (the script sets modes 666 after rotating the
> logs! prior to 2.6) bug so when cron rotates logs the new logs get set
> up properly! It's weird Sun has let this go this long,mabey it's a
> compatiblity issue(?), though mine are strict and I have had no
> problems with the permissions.
>
> Regards,
>
> Matthew R. Potter
>
>
>______________________________ Reply Separator
>_________________________________
>Subject: CPSN 9:971208: Solaris /var Permission Problems
>Author: CPIO Advisory Role Account <[email protected]> at Internet
>Date: 1/12/98 3:56 PM
>
>
> **************** CPIO Security Notice ****************
> Issue Number 9: 971208
> Topic: Solaris /var Permission problems
> Platforms: Solaris 2.5.1, 2.6 / SPARC; possibly 2.5.
> Severity: Common Sense Caution
> **** http://www.darpanet.net ****
