[11061] in bugtraq
Re: Solaris 2.6/7 NTP permissions problem
daemon@ATHENA.MIT.EDU (Casper Dik)
Sat Jul 17 22:35:58 1999
Message-Id: <199907162103.XAA26262@romulus>
Date: Fri, 16 Jul 1999 23:03:53 +0200
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
X-To: john_smith@RD.QMS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Wed, 14 Jul 1999 11:21:13 CDT."
<9907149319.AA931969217@rd.qms.com>
> Hi All!
>
> I reported this bug to Sun approx. 3 weeks ago. Haven't gotten a
> response yet so I'm going ahead and releasing it.
>
> Problem:
>
> I've noticed that the XNTP daemon on Solaris 2.6 and 7 creates
> its drift file (default=/etc/inet/ntp.drift) world-writable (666).
> Even changing the permissions to something sane the permissions
> eventually get set back to 666 (not sure if this is at daemon restart,
> update of the drift file or both).
There's not a whole lot you can do with this hole, though. xntp will
use it as a hint on how good the local clock is but will put only limited
trust in it. (You could copy a big file there, but again, that file
disappears).
A standard default umask of 022 for all programs or xntpd would fix this.
In the next release, the default umask will likely be 022
What also helps is:
setfacl -m d:u::7,d:m:5,d:g::5,d:o:5 /etc/inet
Which forces all files created in the directory to have mode 644 or 755.
The solaris FAQ says:
3.50) How can I prevent daemons from creating mode 666 files?
By default, all daemons inherit the umask 0 from init.
This is most problematic for a service like ftp, which in a
standard configuration leaves all uploaded files with mode 666.
To get daemons to use another umask execute the following
commands in /bin/sh and reboot:
umask 022 # make sure umask.sh gets created with the proper mode
echo "umask 022" > /etc/init.d/umask.sh
for d in /etc/rc?.d
do
ln /etc/init.d/umask.sh $d/S00umask.sh
done
Note: the trailing ".sh" of the scriptname is important, if
you don't specify it, the script will will be executed in a
sub-shell, not in the main shell that executes all other scripts.
In Solaris 2.6 and later, in.ftpd(1M) allows setting its umask
in /etc/default/ftpd.
--- end of excerpt from the FAQ
Questions marked with a * or + have been changed or added since
the FAQ was last posted
The most recently posted version of the FAQ is available from
<http://www.wins.uva.nl/pub/solaris/solaris2/>
