Bugtraq mailing list archives
Re: Solaris patchadd(1) (3) symlink vulnerabilty
From: Peter W <peterw () USA NET>
Date: Thu, 21 Dec 2000 08:55:23 -0500
At 9:13am Dec 21, 2000, Paul Szabo wrote:
Juergen P. Meier <jpm () class de> wrote:
However: Sun Microsystems does recommend to only install patches at single-user mode (runlevel S). ... ... if you follow the Vendors recommendations, you are not vulnerable.The attacker can create the symlinks before you go single-user.
What's the difference between taking a Unix box to single-user mode and asking an NT box to reboot? The former keeps that silly, precious 'uptime' intact so you don't lose your geek bragging rights. The reality is that going to single user mode means disabling the services that you set the box up to provide. Would anyone out there consider single-user mode time in their availability stats? Would you be happy if your outsourced server provider claimed 99.999% availability but only 99.8% was in full network / multiuser mode? I think not. Let's be serious about this: Sun seems to release patches at about the same rate as Microsoft does,[0] even if they're not as well publicized. Unix/Linux geeks enjoy ridiculing Windows' tendency to require reboots after installing hotfixes. Sun execs and marketing folks have joined in this game at times.[1] Now Sun is basically saying you have to reboot when installing a patch if you want to be safe,[2] all because they won't fix their shell interpreters. This is a bad joke, and Sun should be embarassed. I wonder if anyone has had luck replacing the Solaris shell interpreters with something like GNU or other GPL'ed versions, e.g., replacing the Bourne shell with the FSF's BASH shell? -Peter [0] Solaris 8 already has 196 patches according to the 16 Dec. report. [1] http://www.canada.cnet.com/news/0-1003-200-323305.html "Anything more aggressive than changing a file name requires a reboot in Windows," [Sun CEO Scott McNealy] quipped. [2] Yes, some patches require special care, but many do not. Many single patches (unlike cluster bundles) do not require reboots to take effect.
Current thread:
- Solaris patchadd(1) (3) symlink vulnerabilty Jonathan Fortin (Dec 18)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Matthew Potter (Dec 20)
- <Possible follow-ups>
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Szabo (Dec 19)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Dan Harkless (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Cy Schubert - ITSD Open Systems Group (Dec 22)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Szabo (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Peter W (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 22)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Theodoropoulos (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Peter W (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Jonathan Fortin (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Neulinger, Nathan R. (Dec 21)