Bugtraq mailing list archives

Re: Solaris patchadd(1) (3) symlink vulnerabilty

From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert () uumail gov bc ca>
Date: Thu, 21 Dec 2000 17:16:40 -0800

In message <3A4194BD.916CC630 () campus qro itesm mx>, "Juan M. Courcoul"
writes:

"Juergen P. Meier" wrote:
...


However: Sun Microsystems does recommend to only install
patches at single-user mode (runlevel S). So no other
possibly malicious user can exploit this ksh behaviour.


True single-user mode, meaning the state of the machine after it starts with
a
'boot -s' is, indeed, the safest state in which to apply patches, especially
those that have systemwide consequences. However, application patches can be
cautiously applied, like Sun recommends, "with the system with a minimum of
activity".

...


Always do init S before applying solaris patches. (especially
if you do kernel or devicedriver patches, check your readme's).


Unless you are running a recent (>= Solaris 7) version, I would emphatically
recommend that you shut the machine down, start it with a 'boot -s', and then
apply your recommended patches in THIS single-user mode. My experience with
previous versions (we've been running Solaris hosts since 2.3) is that 'init
S'
does not garantee that all multiuser processes get killed, since not all of
these have the corresponding Kxxx shutdown scripts in the appropiate rcX.d
directory. Sure, users do get booted out, but the processes continue running
happily, so you can still find yourself in a pickle.


One thing I used to do when I installed patches myself was to copy the
system disk to another disk, mounted on /foobar.  Then chroot to
/foobar while in multi-user state and install patches there and boot
from the /foobar disk, because installpatch -R did not work for a
period of time.  As I've delegated patch installation, I suspect that
patchadd should be able to handle this as well.  Make sure that
/foobar's permissions are 700 or better yet make sure that foobar is
mounted under a directory who's permissions are 700.

This has the added benefit a simple backout procedure if you need to
back out a set of patches quickly.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert () osg gov bc ca
Open Systems Group, ITSD, ISTA
Province of BC

Current thread:

Solaris patchadd(1) (3) symlink vulnerabilty Jonathan Fortin (Dec 18)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Matthew Potter (Dec 20)
- <Possible follow-ups>
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Szabo (Dec 19)
  - Re: Solaris patchadd(1) (3) symlink vulnerabilty Dan Harkless (Dec 20)
  - Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 20)
    - Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
    - Re: Solaris patchadd(1) (3) symlink vulnerabilty Cy Schubert - ITSD Open Systems Group (Dec 22)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Szabo (Dec 20)
  - Re: Solaris patchadd(1) (3) symlink vulnerabilty Peter W (Dec 21)
    - Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 22)
  - Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
  - Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 21)
    - Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Theodoropoulos (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Jonathan Fortin (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Neulinger, Nathan R. (Dec 21)