Re: Solaris problems?

[jsz () ramon bgu ac il (jsz)]

> Three solaris-related things I'd like to ask the list-- and if
> you know, and are willing to share this info (key point here), please
> speak up.
>
> 1) /var/mail is world writable, but has a sticky bit to prevent
>    people from removing other people's mailboxes.  Still, I
>    can create mailboxes for users who don't have them (like smtp) ..
>    will this pose a problem in the future?
>
>    I know that if sendmail had some sort of support for v7 
>    forwarding capabilties (ie; /var/mail/smtp contains
>    Forward to |/tmp/foosh, then mail to smtp runs /tmp/foosh
>    as uid smtp, which just happens to be 0 on our systems)
>    this would be an easy exploit.. but apparently sendmail
>    8.6.9 doesn't hold to those kind of conventions (thank gods)
>
> 2) it was recently pointed out to me that /dev/tcp and /dev/ip
>    were mode 666; could this be a problem?  I thought maybe
>    you could dump crap into them and it would possibly hose
>    something.. or worse, you could just cat 'em and look
>    at traffic.  While both of these are probabally unlikely,
>    does anyone know for certain?  And is it safe to chmod 600
>    these?


You can relate both to "permission problems" under Solaris, looking carefully
over the filesystem, you could find out that SMI ships Solaris 2.X with /etc
directory writeable for "sys" group, which shouldn't be. 
So if you become root, bin, adm, or sys (or any other user with sys privileges)
you can easily modify an /etc/passwd & shadow and become root.

crash(1) allows you to snoop through kmem too (inherited from SunOS)


---Me.