Re: (WORKAROUND) More on UnixWare 2.x vulnerability

[Hannu.Laurila () japo fi (Hannu Laurila)]

On Sat, 24 Aug 1996, Todd Vierling wrote:

> I've found out a more about UnixWare 2.  It seems the system (and I don't
> know if SCO's own native OSs do this, SCO UNIX/SCO XENIX/SCO OpenServer)
> allows chown'ing a file *to* any arbitrary user and group. 

I couldn't check/test for the vulnerability but I think all users of
Unixware and other SVR4-unixes should check that their boxes are
configured with the BSD-style behaviour of chown/chgrp. It is simply
safer in general.

Unixware 2.0x, by default, uses the old AT&T behaviour but it can be
adjusted with a single kernel tunable.

For other security reasons, I asked on comp.unix.unixware.misc how to tune
the behaviour about 2 or 3 months a go and here is a quote from the
Unixware trouble-FAQ, it consists of my question and Andrew Josey's answer
(thanks Andrew!):

--- clip ---

Subject: T41) How can I revert to the BSD form of (restricted) chown? 


By default, chown() system call comes with the old AT&T behavior and
allows a user to change the ownership of a file he owns to that of any 
other user on the system.

How can I modify the behavior to the BSD-form (only root can change 
the ownership of a file)?

The BSD way is the FIPS 151-2 and XPG4 way, and indeed there is a tuneable
called RSTCHOWN. For strict conformance (and when testing for
POSIX FIPS 151-2, XPG etc) this should be set to one.

/etc/conf/bin/idtune -g RSTCHOWN  will return its value.

To set it do

     # /etc/conf/bin/idtune RSTCHOWN 1
     # /etc/conf/bin/idbuild

and then reboot.

---
Hannu Laurila - kube () japo fi  *  Kauppakatu 10, FIN-62900 ALAJÄRVI
Alajärven Puhelinosuuskunta   *  Tel +358 66 557 2209 - Fax +358 66 557 2788