Bugtraq mailing list archives
ufsrestore suid root not a security hole
From: S.Vickery () its gu edu au (Sean Vickery)
Date: Fri, 17 Nov 1995 14:45:45 +1000
On 14 November 1995, Brett Lymn wrote:
According to Jake Luck:yeah, but what about /usr/sbin/ufsrestore ? it is statically linked, utilizes syslog, and suid root.If you are a BOFH then just kill the setuid bit on ufsrestore. It means that root has to do the restores but it does close an awful lot of holes (like someone dragging in a QIC and restoring their favourite version of /etc/passwd.... need I say more?). Or you could just remove the global rx though this may bugger up remote root users.
Yes, /usr/sbin/ufsrestore is suid root on my Solaris 2 box. But it is more
careful than to allow an unprivileged user create or overwrite files just
anywhere.
# ufsdump 0f /tmp/x.dump /etc/fs
DUMP: Writing 32 Kilobyte records
DUMP: Date of this level 0 dump: Fri Nov 17 14:33:04 1995
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/rdsk/c0t3d0s0 (chimaera:/) to /tmp/x.dump.
DUMP: Mapping (Pass I) [regular files]
DUMP: Mapping (Pass II) [directories]
DUMP: Estimated 1646 blocks (823KB).
DUMP: Dumping (Pass III) [directories]
DUMP: Dumping (Pass IV) [regular files]
DUMP: 1598 blocks (799KB) on 1 volume at 254 KB/sec
DUMP: DUMP IS DONE
# chmod 644 /tmp/x.dump
# mkdir /tmp/y
# ls -ld /tmp/y
drwxr-xr-x 2 root other 37 Nov 17 14:33 /tmp/y
$ ufsrestore rf /tmp/x.dump
./lost+found: (inode 3) not found on volume
./usr: (inode 2688) not found on volume
./opt: (inode 161334) not found on volume
Warning: ./etc: Permission denied
./etc/cron.d: (inode 10752) not found on volume
Warning: ./etc/fs: No such file or directory
Warning: ./etc/fs/hsfs: No such file or directory
Warning: ./etc/fs/nfs: No such file or directory
Warning: ./etc/fs/ufs: No such file or directory
Warning: ./etc/fs/proc: No such file or directory
[...lots of `not found on volume' as I didn't backup the whole filesystem...]
./ksc: (inode 46180) not found on volume
fopen: Permission denied
cannot create save file ./restoresymtable for symbol table
abort? [yn] y
dump core? [yn] n
$ ls -l
total 0
$ pwd
/tmp/y
So it appears that ufsrestore suid root is not a security hole. Would someone
with access to Solaris 2.x source like to tell me what ufsrestore needs to be
suid root for?
And b.t.w., Brett, what does BOFH mean?
Sean.
--
Sean Vickery <S.Vickery () its gu edu au> Ph: +61 (0)7 3875 6410
Systems Programmer Information Services Griffith University
Current thread:
- Linux and DEC patches available for CA-95:14 Telnetd Vulnerability, (continued)
- Linux and DEC patches available for CA-95:14 Telnetd Vulnerability Paul Leyland (Nov 03)
- Re: Telnet attack on SGI Christopher Davis (Nov 03)
- SunOS syslog() fix, finally... Jay 'Whip' Grizzard (Nov 03)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 04)
- Re: SunOS syslog() fix, finally... Scott Barman (Nov 08)
- Re: SunOS syslog() fix, finally... Jake Luck (Nov 09)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 10)
- Re: SunOS syslog() fix, finally... Jake Luck (Nov 10)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 13)
- Re: SunOS syslog() fix, finally... Brett Lymn (Nov 13)
- ufsrestore suid root not a security hole Sean Vickery (Nov 16)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 17)
- SGI Security Advisory 19951101 - telnetd SGI Security Coordinator (Nov 17)
- SGI Security Advisory 19951101 - telnetd : UPDATE SGI Security Coordinator (Nov 17)
- Re: SunOS syslog() fix, finally... Pug (Nov 10)
- Turning dynamic into static? Lawrence R. Rogers (Nov 09)
- Re: Does the shared lib bug work on any suid program ? Fred Blonder (Nov 03)
- Re: Does the shared lib bug work on any suid program ? John Capo (Nov 03)
- Re: Does the shared lib bug work on any suid program ? Justin Mason (Nov 06)