Bugtraq mailing list archives
Various Solaris 2.3 file permission problems
From: fstuart () vetmed auburn edu (Frank Stuart)
Date: Tue, 3 Jan 1995 10:09:13 -0600
Various Solaris2.3, file permission problems Impact: 1. Users with access to your system can become any user who uses SUNWdxlib, including priveleged ones. 2. _Possibly_, any user with access to your NIS+ servers can change NIS+ information, including passwd.org_dir and cred.org_dir (I haven't confirmed this). 3. Any random luser can partially change your hostname. 4. It _may_ be possible for users with access to NFS clients to interfere with NFS mounted filesystems (I haven't confirmed this). 5. Various log files are untrustworthy as they can be edited by any user on the system. Problems: 1. As distributed, /opt/SUNWdxlib contains many _world_ writeable files, including executables. A trojan may be inserted into an executable by any user allowing them access to the accounts of anyone executing it. 2. By default, /var/nis/{hostname}.dict is _world_ writeable. "man -s4 nisfiles" says "This file is a dictionary that is used by the NIS+ database to locate its files." A quick look at it will show things like "/var/nis/{hostname}/passwd.org_dir". By changing this to, say, "/tmp/{hostname}/passwd.org_dir", it _may_ be possible to replace the NIS+ password (or any arbitrary) map with a bogus one (I haven't confirmed this). There are also many files in /var/nis/{hostname} that are world writeable. However, since /var/nis/{hostname} is root owned, mode 700, this shouldn't be a problem. It also shouldn't be necessary. 3. /etc/hostname.le0 is _world_ writeable. 4. /var/statmon, /var/statmon/sm, and /var/statmon/sm.bak are _world_ writeable directories. They are used by statd to "provide the crash and recovery functions for the locking services of NFS". I'm not sure what the implications are here, but it seems likely that, at a minimum, you could trick an NFS client into thinking a server crashed. 5. The following files are _world_ writeable: /var/adm/vold.log /var/log/syslog* /var/lp/logs/lpsched /var/lp/logs/lpNet /etc/mnttab /etc/path_to_inst.old /var/saf/_log /etc/rmtab Solutions: 1. Verify that none of the files have been tampered with (by re-installing if necessary), then: "find /opt/SUNWdxlib -exec chmod go-w {} \;" Here are MD5 checksums from a Solaris 2.3 CD (Part #704-3779-10 Rev.A, 10/93): ---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut-- MD5 (/opt/SUNWdxlib/bin/dxlib) = 3a82ae54d0f57e3c022033034bf282be MD5 (/opt/SUNWdxlib/bin/dxlib_status) = 1515960ced9444bbe16b7dcafcc89bf5 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/DXlib.h) = e8a7c4d0bc29e7fcef187418297bd707 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/README) = ad8b7c15effd5f3673c45a65d560ee96 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/DXspeed) = 16d0e84c7445b77ac77416a6a7e285bb MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/pointfish) = 827be7afa339b04e17d3a07884acdb23 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres) = 1165a67dd35fe597771f6bdd36e80a77 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres.man) = 57e2a71e87ef2e6308d488301c80c726 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/background.im8.Z) = 35c7934ad945db1faf5fe2158c3fbced MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/background2.im8.Z) = e53b0249b0e731648f62babbc7b6c584 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/background3.im8.Z) = 9a53c0c4adfe28c97492aad94e3b3c6e MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/buttons.im8.Z) = 02ea2ceab7ac722213831eff8c9b982f MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/sphere30.im8.Z) = f0e8a3b83508eb555eedf24a65d40878 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/sphere35.im8.Z) = 84d534e065961c281ca3c987bb062afb MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/sphere40.im8.Z) = ac4cfc1269f0e6ea275445428932ab85 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/sphere45.im8.Z) = 05c443a7f3866ff57192212c3863ca36 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_images/sphere50.im8.Z) = b8ee3531b3a6d3b79f7b5980f7316c65 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/2snake.xsp) = 198abafb69c6d8025c52118795f44724 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/2x2snake.xsp) = b252f04a143a1ae0e3f489f6220b6875 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/3snake.xsp) = 9406e125290b74ad6914704d54609ea3 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/4snake.xsp) = 67eef7678e82aaa93fe3fae0e925626d MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/9snake.xsp) = 1442595e6a7376e2b7b8684a94170bcd MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/ball.xsp) = 74263bb9b8ddc61122311935fe346db6 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/diamond-chain.xsp) = 10b5ec487ca75a12782de2b02f5c9508 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/hammer.xsp) = 4fc0b963a5f3597219c5cb211811753c MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/hexmesh.xsp) = a45976d23c4c23620b2662b369de7b22 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/jello-buttress.xsp) = 47c1aa62c0d4b8a069f8806806892188 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/jello-pend.xsp) = 72e8b4e94f00aa40dde0e7ada647cecf MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/jello.xsp) = 7115363e8eec13bbbb8b79066534854f MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/jello2.xsp) = 8b6a5b75c3530994eb5389a0954e2fe0 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/lissajous.xsp) = 9c0b6d580a54551fdbc6bae396af1a20 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/mesh.xsp) = 4c3c765bc07d244ecafd54ee59c79304 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/nifty.xsp) = 9291d0e2ce7dca9bb7d11251ba4cf688 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/nifty12.xsp) = cbe7fcec1e0c174269b53425d6c402b3 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/pend.xsp) = d2303f991ddef8d149770642da0e0264 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/pendbees.xsp) = a311e3e93630fa1007190412a2e41f18 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/psycho.xsp) = 8f4aabdee6c5cd47c69dd9005f4f6501 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/serp.xsp) = 84c9c45c656a42fa4028c3f2cad8a471 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/square.xsp) = 11b320bef5768be6e30b2556189ed01d MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/tire.xsp) = e7e02284e4c4b8cf1bc6bccad8e94d83 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/urchin.xsp) = 04fa5547b5fd08a45f775dcf112a3e59 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/wave.xsp) = 282ab681311b4c0c671ef2edd25108bd MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/bin/xspheres_lib/worm.xsp) = 679ec6707630c680dc824d2420ba1736 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/demo/src/xspheres/xspheres.tar.Z) = 41353353a808aaa278b6c99021fe507f MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/libX11.sa.4) = 91b76abb85691d571faaa94ce28442bb MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/libX11.so.4) = cc1d61db4449826b5952dff451c0f656 MD5 (/opt/SUNWdxlib/lib/dxlib/SunOS5.x/libXext.so.4) = c11542972015dcbd1acd6bf45c16d980 ---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut---cut-- 2. "strings /var/nis/{hostname}.dict to make sure all the paths are sane, then: "chmod 644 /var/nis/{hostname}.dict" "chmod 700 /var/nis/{hostname}" "chmod 600 /var/nis/{hostname}/*" I haven't tested this extensively, but I've done this and rebooted with no apparent problems. 3. "chmod 644 /etc/hostname.le0" 4. "find /var/statmon -exec chmod o-w {} \;" I haven't tested this extensively, but I've done this and rebooted with no apparent problems. 5. It may not be possible to tighten up permissions on all the world writeable files out there without breaking something. However, it'd be a good idea to at least know what they are. Something like: "find / -user root \( -type d -o -type f \) -perm -2 -ls" will at least let you know which files may contain bogus information. Checking for other than root, bin, sys, etc. group writeable files would be a good idea as well. I reported this to security-alert () sun com and CERT on Sunday, December 18 1994, but haven't heard from either one of them. Frank Stuart | (Admiral Grace) Hopper's Law: fstuart () vetmed auburn edu | It's easier to get forgiveness than permission.
Current thread:
- Various Solaris 2.3 file permission problems Frank Stuart (Jan 03)
- Re: Various Solaris 2.3 file permission problems jsz (Jan 04)
- Re: Various Solaris 2.3 file permission problems Darren Reed (Jan 06)
- /etc/mnttab and Solaris 2.4 Philippe Langlois (Jan 06)
- Re: /etc/mnttab and Solaris 2.4 Davide Gaetano (Jan 07)
- Re: /etc/mnttab and Solaris 2.4 Luke Mewburn (Jan 08)
- Re: Various Solaris 2.3 file permission problems jsz (Jan 04)
- <Possible follow-ups>
- Re: Various Solaris 2.3 file permission problems Calum Mackay (Jan 04)
- Re: Various Solaris 2.3 file permission problems Dave Mitchell (Jan 04)
- Re: Various Solaris 2.3 file permission problems jim () Tadpole COM (Jan 04)
- Re: Various Solaris 2.3 file permission problems Bob Dowling (Jan 19)
- Re: Various Solaris 2.3 file permission problems Paul Robinson (Jan 05)