Solaris 7 and solaris 8 file permissions

[dispensa () MAVERICK MWIS NET (Steve Dispensa)]

Problem:

SOLARIS 7:

pa:/var/adm$ ls -ld spellhist
-rw-rw-rw-   1 bin      bin            0 Dec 15 07:28 spellhist
pa:/var/adm$ ls -ld vold.log
-rw-rw-rw-   1 root     root        3063 Jan 22 00:48 vold.log
pa:/var/adm$ uname -a
SunOS pa.hick.org 5.7 Generic sun4m sparc SUNW,SPARCstation-5
pa:/var/adm$ echo "Hmmm, neat, that's nice of SUN to let me write to these
files in /var/adm." >> spellhist
pa:/var/adm$ echo "Let's get rid of the vold.log, shall we?" > vold.log
pa:/var/adm$ cat spellhist
Hmmm, neat, that's nice of SUN to let me write to these files in /var/adm.
pa:/var/adm$ cat vold.log
Let's get rid of the vold.log, shall we?
pa:/var/adm$ id
uid=100(mmiller) gid=10(staff)
pa:/var/adm$

SOLARIS 8:

viper:/var/adm$ ls -ld spellhist
-rw-rw-rw-   1 root     bin            0 Jan 12 16:38 spellhist
viper:/var/adm$ id
uid=1003(mmiller) gid=10(staff)
viper:/var/adm$ uname -a
SunOS viper 5.8 Beta_Refresh i86pc i386 i86pc
viper:/var/adm$

Summary:

There are dangerous write permissions on logging files in Solaris 7 and
Solaris 8.  In Solaris 8, the issue with vold.log has been
corrected.  The spellhist file, however, still uses the same permissions as
Solaris 7 did.  Granted this issue wont result in a root
compromise it does allow for users to fill up the /var partition without
having root access.

(Yes, I know /var/tmp exists and would allow for the same thing.)

Solution:

Have SUN distributed Solaris 8 with the permissions fixed on the spellhist
file or rely on the administrators of the systems to fix the permissions
themselves.

Matt Miller
Afro Productions Cherry Blue Team
mmiller () expire net
http://www.afro-productions.com
by way of Steve Dispensa