Bugtraq mailing list archives

Re: Solaris problems?

From: casper () fwi uva nl (Casper Dik)
Date: Sun, 31 Jul 1994 11:39:54 +0200

Three solaris-related things I'd like to ask the list-- and if
you know, and are willing to share this info (key point here), please
speak up.

1) /var/mail is world writable, but has a sticky bit to prevent
  people from removing other people's mailboxes.  Still, I
  can create mailboxes for users who don't have them (like smtp) ..
  will this pose a problem in the future?


This is less of a problem in Solaris 2.x than in SunoS 4.1.x.
The mail delivery agent isn't set-uid root.

Nevertheless, we create mailboxes for every user *and* make
sure the mailreaders don't delete them.

  I know that if sendmail had some sort of support for v7 
  forwarding capabilties (ie; /var/mail/smtp contains
  Forward to |/tmp/foosh, then mail to smtp runs /tmp/foosh
  as uid smtp, which just happens to be 0 on our systems)
  this would be an easy exploit.. but apparently sendmail
  8.6.9 doesn't hold to those kind of conventions (thank gods)


This is not supported in SunOS 5.x.  SunOS 5.x uses sendmail and
not some otehr delivery mechanism.

2) it was recently pointed out to me that /dev/tcp and /dev/ip
  were mode 666; could this be a problem?  I thought maybe
  you could dump crap into them and it would possibly hose
  something.. or worse, you could just cat 'em and look
  at traffic.  While both of these are probabally unlikely,
  does anyone know for certain?  And is it safe to chmod 600
  these?


/dev/tcp and /dev/ip and /dev/udp *must* all be mode 666.
These are clone devices (11 as devmajor) and are used to
create connection end points.

socket(AF_INET,SOCK_STREAM,IPPROTO_TCP) roughly translates to
``open("/dev/tcp",O_RDWR) ; ....''

Changing the mode on /dev/tcp, /dev/ip and /dev/udp is a quick way
of crippling your system (non-root can no longer use any form
of IP communication)

3) is solaris openwin code secure?  (yes or no, and if no, why..
  for those of us who just like to say things like "perhaps.")



What exactly do you mean by that?  It seems that the server is reasonably
secure (it even logs connection failures and will always use atleast
magic cookie security).  The DPS extension doesn't allow (unless
overriden) file system operations.  Xterm is not set-uid root.

If there's one big problem with Solaris, it's the file system
modes (like 775 /etc and otehr directories/files),

Casper

Current thread:

Re: Bad Advise, (continued)
- - - Re: Bad Advise Christopher Klaus (Jul 26)
    - Re: Bad Advise Timothy Newsham (Jul 27)
    - -froot??? (AIX rlogin bug) Eric Wedaa (Jul 29)
    - Re: -froot??? (AIX rlogin bug) Aaron Eppert (Jul 29)
    - Re: -froot??? (AIX rlogin bug) Mark G. Scheuern (Jul 30)
    - Re: -froot??? (AIX rlogin bug) Alexander Haiut (Jul 30)
    - Re: -froot??? (AIX rlogin bug) Baba Z Buehler (Jul 30)
    - Solaris problems? James W. Abendschan (Jul 29)
    - Re: Solaris problems? Steve Davis (Jul 30)
    - Re: Solaris problems? jsz (Jul 30)
    - Re: Solaris problems? Casper Dik (Jul 31)
  - Re: coredumps on setuid programs. Andrew Beckett (Jul 25)