Bugtraq mailing list archives
CPSN 9:971208: Solaris /var Permission Problems
From: advisory () CORINNE CPIO ORG (CPIO Advisory Role Account)
Date: Mon, 12 Jan 1998 15:56:18 -0800
**************** CPIO Security Notice **************** Issue Number 9: 971208 Topic: Solaris /var Permission problems Platforms: Solaris 2.5.1, 2.6 / SPARC; possibly 2.5. Severity: Common Sense Caution **** http://www.darpanet.net **** Both Solaris 2.5.1 and Solaris 2.6 leave remarkably exploitable permissions on files and directories in /var after a default install. After patch installs, many of these highly insecure permissions still exist. Others may have noticed this behaviour, but no one at CPIO has yet seen it summarized or published. As a result, few administrators seem to be aware of this problem. There are public-domain scripts that fix at least some of the permissions in question. Careful examination of both operating systems (running find(1) :) ) on sun4c, sun4m, and sun4u platforms yielded the following results. Solaris for x86 platforms may be similarly affected. After checking all machines with the same set of commands, we have found the following permission problems with these files: Solaris 2.5.1: /var/adm/vold.log (mode 666, root:root) /var/adm/spellhist (mode 666, bin:bin) /var/adm/messages (mode 666, root:other) NOTE: this is the first set of permissions on this file. newsyslog fixes this during the archive process. /var/adm/log/asppp.log (mode 666, root:root) /var/news (directory, mode 777, bin:bin) /var/log/syslog (mode 666, root:other) On initial install, this is 664, but when rolled over, becomes 666. Patch 104613 fixes this. /var/log/sysidconf.log (mode 777, root:other) /var/sadm/install/.pkg.lock (mode 666, root:root) /var/spool/lp/fifos/FIFO (mode 666, lp:lp) /var/lp/logs/lpsched (mode 666, root:root) /var/lp/logs/lpNet (mode 666, root:root) /var/preserve (directory, mode 777, bin:bin) /var/spool/pkg (directory, mode 777, bin:bin) Solaris 2.6: /var/adm/vold.log (mode 666, root:root) /var/adm/spellhist (mode 666, bin:bin) /var/log/sysidconf.log (mode 777, root:other) /var/saf/_log (mode 666, root:root) /var/dmi/db/1l.comp (mode 666, root:root) /var/dmi/db/1l.tbl (mode 666, root:root) /var/snmp/snmpdx.st (mode 666, root:root) /var/snmp/snmpdx.st.old (mode 666, root:root) PATCHES AND FIXES Some patches fix some problems-- patch 104613 fixes the /var/log/syslog problem on 2.5.1. In addition, Casper Dik has a program called "fix-modes" which is available from ftp://ftp.wins.uva.nl/pub/solaris/ This fixes many of the descrepancies detailed here. CREDITS Contributed by Gale Pedowitz. Jonathan Katz compiled the final bad permissions lists. Gale Pedowitz <gale () cpio org> Jonathan Katz <jkatz () cpio org>
Current thread:
- KSR[T] Advisory #6: deliver, (continued)
- KSR[T] Advisory #6: deliver KSR[T] (Jan 12)
- Re: KSR[T] Advisory #6: deliver Chip Salzenberg (Jan 12)
- hole in sudo for MP-RAS. osiris () COURIER CB LUCENT COM (Jan 12)
- Re: hole in sudo for MP-RAS. Cy Schubert - ITSD Open Systems Group (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- Re: hole in sudo for MP-RAS. Cy Schubert - ITSD Open Systems Group (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 13)
- Re: hole in sudo for MP-RAS. dsiebert () ICAEN UIOWA EDU (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- KSR[T] Advisory #6: deliver KSR[T] (Jan 12)
- CPSN 9:971208: Solaris /var Permission Problems CPIO Advisory Role Account (Jan 12)