Re: Solaris patchadd(1) (3) symlink vulnerabilty

["Juergen P. Meier" <jpm () class de>]

On Thu, Dec 21, 2000 at 08:55:23AM -0500, Peter W wrote:
> At 9:13am Dec 21, 2000, Paul Szabo wrote:
>
> > Juergen P. Meier <jpm () class de> wrote:
>
> > > However: Sun Microsystems does recommend to only install
> > > patches at single-user mode (runlevel S). ...
> > > ... if you follow the Vendors recommendations, you are
> > > not vulnerable.
> >
> > The attacker can create the symlinks before you go single-user.
>
> What's the difference between taking a Unix box to single-user mode and
> asking an NT box to reboot? The former keeps that silly, precious 'uptime'
> intact so you don't lose your geek bragging rights. The reality is that
> going to single user mode means disabling the services that you set the
> box up to provide. Would anyone out there consider single-user mode time
> in their availability stats? Would you be happy if your outsourced server
> provider claimed 99.999% availability but only 99.8% was in full network /
> multiuser mode? I think not.

Well, the big differense between going single-user-mode and doing real reboot
is the time it takes to do so.
especially on really big servers (it takes tens of minutes just to reset
a sun e4500 with tons of io and other stuff), while init S takes
less than a minute.
If every minute's worth money, you quickly learn to avoid reboots.

Its not about uptime, its about downtime ;)

Even 99.999% availability does allow for a few runlevelswitches a year,
not to mention that it is very silly to talk availability without
having redundance ;)

With most big sun servers, 99.999% availability does not allow you to
reboot it, since the downtime for a single reboot would break it.

> Let's be serious about this: Sun seems to release patches at about the
> same rate as Microsoft does,[0] even if they're not as well publicized.
> Unix/Linux geeks enjoy ridiculing Windows' tendency to require reboots
> after installing hotfixes. Sun execs and marketing folks have joined in
> this game at times.[1]

Granted, most of these patches should be able to be applied in multiusermode,
so what we do need is s Fix for patchadd (we already learned from a previous
post that its not ksh's fault...)
With a fixed patchadd, those patches (that do not include kerneldrivers
or things like libc ;) should be no problem at all - again...

> Now Sun is basically saying you have to reboot when installing a patch if
> you want to be safe,[2] all because they won't fix their shell
> interpreters. This is a bad joke, and Sun should be embarassed.

not really, they just say that they recommend it, but you may do wahtever
you please.

> I wonder if anyone has had luck replacing the Solaris shell interpreters
> with something like GNU or other GPL'ed versions, e.g., replacing the
> Bourne shell with the FSF's BASH shell?

replacing /bin/sh with anything else is a really bad idea, a whole lot
of scripts _rely_ on the fact that /bin/sh (and /sbin/sh) is the good
old dumb bourne shell.
believe me, it will break a lot of things.


> -Peter
>
> [0] Solaris 8 already has 196 patches according to the 16 Dec. report.
>
> [1] http://www.canada.cnet.com/news/0-1003-200-323305.html
> "Anything more aggressive than changing a file name requires a reboot in
> Windows," [Sun CEO Scott McNealy] quipped.
>
> [2] Yes, some patches require special care, but many do not. Many single
> patches (unlike cluster bundles) do not require reboots to take effect.

(ps: i find all those Vacation notices rather amusing, they show me that
a lot of bugtraq-subscribers lack that particular sort of clue ;)


happy hollidays,

Juergen

--
Juergen P. Meier                        email: jpm () class de