Original issue date: February 3, 1993<BR>
Last revised: September 19, 1997<BR>
Attached copyright statement
<P>A complete revision history is at the end of this file.
<P>The default permissions on a number of files and directories in
SunOS 4.1, 4.1.1, 4.1.2, and 4.1.3 are set incorrectly. These
problems are relevant for the sun3, sun3x, sun4, sun4c, and sun4m
architectures. They have been fixed in SunOS 5.0. (Note that SunOS
5.0 is the operating system included in the Solaris 2.0 software
distribution.)
<P>An updated patch to reset these permissions is available from Sun.
CERT has seen an increasing number of attackers exploit these problems
on systems and we encourage sites to consider installing this patch.
<P><HR>
<P>
<H2>I. Description</H2>
<P>File permissions on numerous files were set incorrectly in the
distribution tape of 4.1.x. A typical example is that a file which
should have been owned by "root" was set to be owned by
"bin".
<P>Not all sites will need or want to install the patch for this
problem. The decision of what user id should own most system files
and directories depends on the administrative practices of the site.
It is quite reasonable to run a system where the majority of files are
owned by "bin" as long as the entire system is run in a
manner consistent with that practice. As distributed, the SunOS
configuration expects most system files to be owned by
"root". The fact that some are not creates security
problems.
<P>Therefore, sites that are running the SunOS versions listed above
as distributed should install the patch described below. Sites that
have made an informed choice to configure their system differently may
instead want to review the patch script and consider which, if any, of
the changes should be made on their system.
<P>
<H2>II. Impact</H2>
<P>Depending on the specific configuration of the local site, the
default permissions may allow local users to gain "root"
access.
<P>
<H2>III. Solution</H2>
<P>
<OL>
<LI>Sun has provided a script to reset file and directory permissions
to their correct values. The script is available in Sun's Patch
#100103 version 11. This patch can be obtained via local Sun Answer
Centers worldwide as well as through anonymous FTP from the ftp.uu.net
(137.39.1.9) system in the /systems/sun/sun-dist directory.
<P>
<PRE>
Patch ID Filename Checksum
100103-11 100103-11.tar.Z 19847 6
</PRE>
<P>Please note that Sun Microsystems sometimes updates patch files.
If you find that the checksum is different please contact Sun
Microsystems or CERT for verification.
<LI><P>Uncompress the file, extract the contents of the tar archive,
and review the README file.
<P>
<PRE>
% uncompress 100103-11.tar.Z
% tar xfv 100103-11.tar
% cat README
</PRE>
<LI><P>This patch will reset the group ownership of certain files to
either "staff" or "bin". Make sure you have entries in
the "/etc/group" file for these accounts.
<P>
<PRE>
% grep '^staff:' /etc/group
% grep '^bin:' /etc/group
</PRE>
<P>If you do not have both of these you will need to either add the
missing account(s) or modify the patch script (4.1secure.sh) to
reflect group ownerships appropriate for your site. (Note that the
security problems are fixed by the ownerships and mode bits specified
in the patch - not by the group ownerships. Therefore, changing the
group ownerships does not invalidate the patch.)
<LI><P>As "root", run the patch script.
<P>
<PRE>
# sh 4.1secure.sh
</PRE>
<P>This patch fixes Sun BugId's 1046817, 1047044, 1048142, 1054480,
1037153, 1039292, and 1042662.
<LI><P>The patch script will set "/usr/kvm/crash" to mode
02700 owned by "root". While this is not insecure, since
only "root" can run the program, CERT recommends that the
setgid bit be removed to prevent abuse if world execute permission
were to be added some time later.<BR>
As "root", make "/usr/kvm/crash" not a
set-group-id program.
<P>
<PRE>
# chmod 755 /usr/kvm/crash
</PRE>
<P>
</OL>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1993 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
September 19,1997 Attached Copyright Statement
</PRE>
|