Date: Sat, 22 Jan 2000 13:52:21 -0600
From: Steve Dispensa <[email protected]>
To: [email protected]Subject: Solaris 7 and solaris 8 file permissions
Problem:
SOLARIS 7:
pa:/var/adm$ ls -ld spellhist
-rw-rw-rw- 1 bin bin 0 Dec 15 07:28 spellhist
pa:/var/adm$ ls -ld vold.log
-rw-rw-rw- 1 root root 3063 Jan 22 00:48 vold.log
pa:/var/adm$ uname -a
SunOS pa.hick.org 5.7 Generic sun4m sparc SUNW,SPARCstation-5
pa:/var/adm$ echo "Hmmm, neat, that's nice of SUN to let me write to these
files in /var/adm." >> spellhist
pa:/var/adm$ echo "Let's get rid of the vold.log, shall we?" > vold.log
pa:/var/adm$ cat spellhist
Hmmm, neat, that's nice of SUN to let me write to these files in /var/adm.
pa:/var/adm$ cat vold.log
Let's get rid of the vold.log, shall we?
pa:/var/adm$ id
uid=100(mmiller) gid=10(staff)
pa:/var/adm$
SOLARIS 8:
viper:/var/adm$ ls -ld spellhist
-rw-rw-rw- 1 root bin 0 Jan 12 16:38 spellhist
viper:/var/adm$ id
uid=1003(mmiller) gid=10(staff)
viper:/var/adm$ uname -a
SunOS viper 5.8 Beta_Refresh i86pc i386 i86pc
viper:/var/adm$
Summary:
There are dangerous write permissions on logging files in Solaris 7 and
Solaris 8. In Solaris 8, the issue with vold.log has been
corrected. The spellhist file, however, still uses the same permissions as
Solaris 7 did. Granted this issue wont result in a root
compromise it does allow for users to fill up the /var partition without
having root access.
(Yes, I know /var/tmp exists and would allow for the same thing.)
Solution:
Have SUN distributed Solaris 8 with the permissions fixed on the spellhist
file or rely on the administrators of the systems to fix the permissions
themselves.
Matt Miller
Afro Productions Cherry Blue Team
[email protected]http://www.afro-productions.com
by way of Steve Dispensa
