Bugtraq mailing list archives
Re: Solaris problems?
From: casper () fwi uva nl (Casper Dik)
Date: Sun, 31 Jul 1994 11:39:54 +0200
Three solaris-related things I'd like to ask the list-- and if you know, and are willing to share this info (key point here), please speak up. 1) /var/mail is world writable, but has a sticky bit to prevent people from removing other people's mailboxes. Still, I can create mailboxes for users who don't have them (like smtp) .. will this pose a problem in the future?
This is less of a problem in Solaris 2.x than in SunoS 4.1.x. The mail delivery agent isn't set-uid root. Nevertheless, we create mailboxes for every user *and* make sure the mailreaders don't delete them.
I know that if sendmail had some sort of support for v7 forwarding capabilties (ie; /var/mail/smtp contains Forward to |/tmp/foosh, then mail to smtp runs /tmp/foosh as uid smtp, which just happens to be 0 on our systems) this would be an easy exploit.. but apparently sendmail 8.6.9 doesn't hold to those kind of conventions (thank gods)
This is not supported in SunOS 5.x. SunOS 5.x uses sendmail and not some otehr delivery mechanism.
2) it was recently pointed out to me that /dev/tcp and /dev/ip were mode 666; could this be a problem? I thought maybe you could dump crap into them and it would possibly hose something.. or worse, you could just cat 'em and look at traffic. While both of these are probabally unlikely, does anyone know for certain? And is it safe to chmod 600 these?
/dev/tcp and /dev/ip and /dev/udp *must* all be mode 666. These are clone devices (11 as devmajor) and are used to create connection end points. socket(AF_INET,SOCK_STREAM,IPPROTO_TCP) roughly translates to ``open("/dev/tcp",O_RDWR) ; ....'' Changing the mode on /dev/tcp, /dev/ip and /dev/udp is a quick way of crippling your system (non-root can no longer use any form of IP communication)
3) is solaris openwin code secure? (yes or no, and if no, why.. for those of us who just like to say things like "perhaps.")
What exactly do you mean by that? It seems that the server is reasonably secure (it even logs connection failures and will always use atleast magic cookie security). The DPS extension doesn't allow (unless overriden) file system operations. Xterm is not set-uid root. If there's one big problem with Solaris, it's the file system modes (like 775 /etc and otehr directories/files), Casper
Current thread:
- Re: Bad Advise, (continued)
- Re: Bad Advise Christopher Klaus (Jul 26)
- Re: Bad Advise Timothy Newsham (Jul 27)
- -froot??? (AIX rlogin bug) Eric Wedaa (Jul 29)
- Re: -froot??? (AIX rlogin bug) Aaron Eppert (Jul 29)
- Re: -froot??? (AIX rlogin bug) Mark G. Scheuern (Jul 30)
- Re: -froot??? (AIX rlogin bug) Alexander Haiut (Jul 30)
- Re: -froot??? (AIX rlogin bug) Baba Z Buehler (Jul 30)
- Solaris problems? James W. Abendschan (Jul 29)
- Re: Solaris problems? Steve Davis (Jul 30)
- Re: Solaris problems? jsz (Jul 30)
- Re: Solaris problems? Casper Dik (Jul 31)
- Re: coredumps on setuid programs. Andrew Beckett (Jul 25)