Various Solaris 2.3 file permission problems

[fstuart () vetmed auburn edu (Frank Stuart)]

Various Solaris2.3, file permission problems

  Impact:  1. Users with access to your system can become any user who
              uses SUNWdxlib, including priveleged ones.

           2. _Possibly_, any user with access to your NIS+ servers can
              change NIS+ information, including passwd.org_dir and
              cred.org_dir (I haven't confirmed this).

           3. Any random luser can partially change your hostname.

           4. It _may_ be possible for users with access to NFS clients to
              interfere with NFS mounted filesystems (I haven't confirmed
              this).

           5. Various log files are untrustworthy as they can be edited by
              any user on the system.

 Problems: 1. As distributed, /opt/SUNWdxlib contains many _world_ writeable
              files, including executables.  A trojan may be inserted into
              an executable by any user allowing them access to the accounts
              of anyone executing it.

           2. By default, /var/nis/{hostname}.dict is _world_ writeable.
              "man -s4 nisfiles" says "This file is a dictionary that is
              used by the NIS+ database to locate its files."  A quick look
              at it will show things like "/var/nis/{hostname}/passwd.org_dir".
              By changing this to, say, "/tmp/{hostname}/passwd.org_dir", it
              _may_ be possible to replace the NIS+ password (or any arbitrary)
              map with a bogus one (I haven't confirmed this).  There are also
              many files in /var/nis/{hostname} that are world writeable.
              However, since /var/nis/{hostname} is root owned, mode 700, this
              shouldn't be a problem.  It also shouldn't be necessary.

           3. /etc/hostname.le0 is _world_ writeable.

           4. /var/statmon, /var/statmon/sm, and /var/statmon/sm.bak are
              _world_ writeable directories.  They are used by statd to
              "provide the crash and recovery functions for the locking
              services of NFS".  I'm not sure what the implications are here,
              but it seems likely that, at a minimum, you could trick an NFS
              client into thinking a server crashed.

           5. The following files are _world_ writeable:
                /var/adm/vold.log
                /var/log/syslog*
                /var/lp/logs/lpsched
                /var/lp/logs/lpNet
                /etc/mnttab
                /etc/path_to_inst.old
                /var/saf/_log
                /etc/rmtab

Solutions: 1. Verify that none of the files have been tampered with (by
              re-installing if necessary), then:
              "find /opt/SUNWdxlib -exec chmod go-w {} \;"

              Here are MD5 checksums from a Solaris 2.3 CD
              (Part #704-3779-10 Rev.A, 10/93):

---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut--
MD5 (/opt/SUNWdxlib/bin/dxlib) = 3a82ae54d0f57e3c022033034bf282be
MD5 (/opt/SUNWdxlib/bin/dxlib_status) = 1515960ced9444bbe16b7dcafcc89bf5
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/DXlib.h) = e8a7c4d0bc29e7fcef187418297bd707
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/README) = ad8b7c15effd5f3673c45a65d560ee96
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/DXspeed) = 16d0e84c7445b77ac77416a6a7e285bb
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/pointfish) = 827be7afa339b04e17d3a07884acdb23
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres) = 1165a67dd35fe597771f6bdd36e80a77
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres.man) = 57e2a71e87ef2e6308d488301c80c726
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/background.im8.Z) = 35c7934ad945db1faf5fe2158c3fbced
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/background2.im8.Z) = e53b0249b0e731648f62babbc7b6c584
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/background3.im8.Z) = 9a53c0c4adfe28c97492aad94e3b3c6e
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/buttons.im8.Z) = 02ea2ceab7ac722213831eff8c9b982f
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/sphere30.im8.Z) = f0e8a3b83508eb555eedf24a65d40878
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/sphere35.im8.Z) = 84d534e065961c281ca3c987bb062afb
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/sphere40.im8.Z) = ac4cfc1269f0e6ea275445428932ab85
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/sphere45.im8.Z) = 05c443a7f3866ff57192212c3863ca36
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/sphere50.im8.Z) = b8ee3531b3a6d3b79f7b5980f7316c65
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/2snake.xsp) = 198abafb69c6d8025c52118795f44724
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/2x2snake.xsp) = b252f04a143a1ae0e3f489f6220b6875
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/3snake.xsp) = 9406e125290b74ad6914704d54609ea3
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/4snake.xsp) = 67eef7678e82aaa93fe3fae0e925626d
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/9snake.xsp) = 1442595e6a7376e2b7b8684a94170bcd
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/ball.xsp) = 74263bb9b8ddc61122311935fe346db6
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/diamond-chain.xsp) = 10b5ec487ca75a12782de2b02f5c9508
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/hammer.xsp) = 4fc0b963a5f3597219c5cb211811753c
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/hexmesh.xsp) = a45976d23c4c23620b2662b369de7b22
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/jello-buttress.xsp) = 47c1aa62c0d4b8a069f8806806892188
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/jello-pend.xsp) = 72e8b4e94f00aa40dde0e7ada647cecf
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/jello.xsp) = 7115363e8eec13bbbb8b79066534854f
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/jello2.xsp) = 8b6a5b75c3530994eb5389a0954e2fe0
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/lissajous.xsp) = 9c0b6d580a54551fdbc6bae396af1a20
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/mesh.xsp) = 4c3c765bc07d244ecafd54ee59c79304
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/nifty.xsp) = 9291d0e2ce7dca9bb7d11251ba4cf688
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/nifty12.xsp) = cbe7fcec1e0c174269b53425d6c402b3
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/pend.xsp) = d2303f991ddef8d149770642da0e0264
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/pendbees.xsp) = a311e3e93630fa1007190412a2e41f18
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/psycho.xsp) = 8f4aabdee6c5cd47c69dd9005f4f6501
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/serp.xsp) = 84c9c45c656a42fa4028c3f2cad8a471
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/square.xsp) = 11b320bef5768be6e30b2556189ed01d
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/tire.xsp) = e7e02284e4c4b8cf1bc6bccad8e94d83
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/urchin.xsp) = 04fa5547b5fd08a45f775dcf112a3e59
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/wave.xsp) = 282ab681311b4c0c671ef2edd25108bd
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/worm.xsp) = 679ec6707630c680dc824d2420ba1736
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/src/xspheres/xspheres.tar.Z) = 41353353a808aaa278b6c99021fe507f
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/libX11.sa.4) = 91b76abb85691d571faaa94ce28442bb
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/libX11.so.4) = cc1d61db4449826b5952dff451c0f656
MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/libXext.so.4) = c11542972015dcbd1acd6bf45c16d980
---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut--

           2. "strings /var/nis/{hostname}.dict to make sure all the paths
               are sane, then:
              "chmod 644 /var/nis/{hostname}.dict"
              "chmod 700 /var/nis/{hostname}"
              "chmod 600 /var/nis/{hostname}/*"

              I haven't tested this extensively, but I've done this and
              rebooted with no apparent problems.

           3. "chmod 644 /etc/hostname.le0"

           4. "find /var/statmon -exec chmod o-w {} \;"
             
              I haven't tested this extensively, but I've done this and
              rebooted with no apparent problems.

           5. It may not be possible to tighten up permissions on all
              the world writeable files out there without breaking
              something.  However, it'd be a good idea to at least
              know what they are.  Something like:
              "find / -user root \( -type d -o -type f \) -perm -2 -ls"
              will at least let you know which files may contain bogus
              information.  Checking for other than root, bin, sys, etc.
              group writeable files would be a good idea as well.
            

I reported this to security-alert () sun com and CERT on Sunday, December
18 1994, but haven't heard from either one of them.


Frank Stuart              | (Admiral Grace) Hopper's Law:
fstuart () vetmed auburn edu | It's easier to get forgiveness than permission.