Bugtraq mailing list archives
Re: /dev/openprom problems - Solaris 1 or Solaris 2
From: strombrg () hydra acs uci edu (Dan Stromberg)
Date: Sun, 26 May 1996 11:08:31 -0700
On Fri, 24 May 1996, Matthew Harding wrote:
Note that this is a registered bugid with Sun (1222940) but it is marked closed with no patch. Why? Because Sun's solution for SunOS 4.1.x is to remove permissions from /dev/openprom for unprivileged users, without actually fixing the problem. No comment on this approach to "security"...
1) 1.x is dead. They'd be shooting themselves in the foot to fix this kind of problem in 1.x. 2) The problem is infinitesimal in 2.x. (see #5, below) 3) If you chmod the file under 1.x, treat as #2, above. 4) One might argue that they should issue a patch for 1.x, consisting of nothing more than a README that says "chmod 640 /dev/openprom". I don't see this as being of huge benefit, however. With this one, if you know the bug exists, you know how to make it a non-issue also. 5) It makes vastly more sense for sun (or or any other OS development team) to spend time on new features, instead of fixing "problems" where priviledged users "can" crash their own machines (/oh boy! I get to crash a machine I'm responsible for!/). Consider: dd if=/dev/zero of=/dev/dsk/c0t3d0s1. This is a generally bad thing to do, but I sure don't want _any_ vendor to waste time disallowing dd'ing to certain partitions. (If someone tries out that dd command, I'm not responsible for the results.) It's helpful to fish around for bugs, no matter what their significance, but it is more helpful if one also maintains a sense of where these bugs fit into the overall picture, which is: setting up operating systems that allow users to get things done. This should include minimizing boobytraps waiting for sysadmins, which result in downtime for users - but even that doesn't really apply in this case. BTW, I just added a "chmod 640 /dev/openprom" to our SunOS 4.1.x autoinstall environment. Any new 4.1.4 boxes we set up (very few), will have this fixed automatically.
Current thread:
- Re: Denial of Service Attacks INFO, (continued)
- Re: Denial of Service Attacks INFO Doug Hughes (May 22)
- Re: Denial of Service Attacks INFO Fred Cohen (May 22)
- Re: Denial of Service Attacks INFO Tim Newsham (May 22)
- Re: Denial of Service Attacks INFO Jonny Llama (May 22)
- Re: Denial of Service Attacks INFO Matthew Harding (May 23)
- Re: Denial of Service Attacks INFO Fred Cohen (May 23)
- /dev/openprom problems - Solaris 1 or Solaris 2 Matthew Harding (May 24)
- Possible bug in solaris2.4 ? Tequila System Admin (May 24)
- Re: Possible bug in solaris2.4 ? Dave Barr (May 24)
- Re: /dev/openprom problems - Solaris 1 or Solaris 2 Jamie (May 25)
- Re: /dev/openprom problems - Solaris 1 or Solaris 2 Dan Stromberg (May 26)
- Is _your_ Netscape under remote control martinh () mailhost emap co uk (May 24)
- Re: Is _your_ Netscape under remote control Chris Burris (May 24)
- CIAC Bulletin G-25: SUN statd Program Vulnerability David Crawford (May 24)
- Re: Is _your_ Netscape under remote control Phillip Wherry (May 24)
- Re: Is _your_ Netscape under remote control Dave Taylor (May 23)
- Re: Is _your_ Netscape under remote control Darrell Fuhriman (May 24)
- Re: Is _your_ Netscape under remote control Dave Horsfall (May 25)
- Re: Is _your_ Netscape under remote control Wolfgang Ley (May 27)
- Re: Is _your_ Netscape under remote control Sven Neuhaus (May 24)
- Re: Is _your_ Netscape under remote control Roger Espel Llima (May 24)