Bugtraq mailing list archives
Re: Solaris patchadd(1) (3) symlink vulnerabilty
From: "Juergen P. Meier" <jpm () class de>
Date: Fri, 22 Dec 2000 17:47:33 +0100
On Thu, Dec 21, 2000 at 08:55:23AM -0500, Peter W wrote:
At 9:13am Dec 21, 2000, Paul Szabo wrote:Juergen P. Meier <jpm () class de> wrote:However: Sun Microsystems does recommend to only install patches at single-user mode (runlevel S). ... ... if you follow the Vendors recommendations, you are not vulnerable.The attacker can create the symlinks before you go single-user.What's the difference between taking a Unix box to single-user mode and asking an NT box to reboot? The former keeps that silly, precious 'uptime' intact so you don't lose your geek bragging rights. The reality is that going to single user mode means disabling the services that you set the box up to provide. Would anyone out there consider single-user mode time in their availability stats? Would you be happy if your outsourced server provider claimed 99.999% availability but only 99.8% was in full network / multiuser mode? I think not.
Well, the big differense between going single-user-mode and doing real reboot is the time it takes to do so. especially on really big servers (it takes tens of minutes just to reset a sun e4500 with tons of io and other stuff), while init S takes less than a minute. If every minute's worth money, you quickly learn to avoid reboots. Its not about uptime, its about downtime ;) Even 99.999% availability does allow for a few runlevelswitches a year, not to mention that it is very silly to talk availability without having redundance ;) With most big sun servers, 99.999% availability does not allow you to reboot it, since the downtime for a single reboot would break it.
Let's be serious about this: Sun seems to release patches at about the same rate as Microsoft does,[0] even if they're not as well publicized. Unix/Linux geeks enjoy ridiculing Windows' tendency to require reboots after installing hotfixes. Sun execs and marketing folks have joined in this game at times.[1]
Granted, most of these patches should be able to be applied in multiusermode, so what we do need is s Fix for patchadd (we already learned from a previous post that its not ksh's fault...) With a fixed patchadd, those patches (that do not include kerneldrivers or things like libc ;) should be no problem at all - again...
Now Sun is basically saying you have to reboot when installing a patch if you want to be safe,[2] all because they won't fix their shell interpreters. This is a bad joke, and Sun should be embarassed.
not really, they just say that they recommend it, but you may do wahtever you please.
I wonder if anyone has had luck replacing the Solaris shell interpreters with something like GNU or other GPL'ed versions, e.g., replacing the Bourne shell with the FSF's BASH shell?
replacing /bin/sh with anything else is a really bad idea, a whole lot of scripts _rely_ on the fact that /bin/sh (and /sbin/sh) is the good old dumb bourne shell. believe me, it will break a lot of things.
-Peter [0] Solaris 8 already has 196 patches according to the 16 Dec. report. [1] http://www.canada.cnet.com/news/0-1003-200-323305.html "Anything more aggressive than changing a file name requires a reboot in Windows," [Sun CEO Scott McNealy] quipped. [2] Yes, some patches require special care, but many do not. Many single patches (unlike cluster bundles) do not require reboots to take effect.
(ps: i find all those Vacation notices rather amusing, they show me that a lot of bugtraq-subscribers lack that particular sort of clue ;) happy hollidays, Juergen -- Juergen P. Meier email: jpm () class de
Current thread:
- Solaris patchadd(1) (3) symlink vulnerabilty Jonathan Fortin (Dec 18)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Matthew Potter (Dec 20)
- <Possible follow-ups>
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Szabo (Dec 19)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Dan Harkless (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Cy Schubert - ITSD Open Systems Group (Dec 22)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Szabo (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Peter W (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 22)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Theodoropoulos (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Peter W (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Jonathan Fortin (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Neulinger, Nathan R. (Dec 21)