[3273] in bugtraq
Re: (WORKAROUND) More on UnixWare 2.x vulnerability
daemon@ATHENA.MIT.EDU (Hannu Laurila)
Sun Aug 25 02:26:35 1996
Date: Sat, 24 Aug 1996 22:32:46 +0300
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Hannu Laurila <Hannu.Laurila@japo.fi>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.NEB.3.95.960824140645.24286K-100000@like.duh.ml.org>
On Sat, 24 Aug 1996, Todd Vierling wrote:
> I've found out a more about UnixWare 2. It seems the system (and I don't
> know if SCO's own native OSs do this, SCO UNIX/SCO XENIX/SCO OpenServer)
> allows chown'ing a file *to* any arbitrary user and group.=20
I couldn't check/test for the vulnerability but I think all users of
Unixware and other SVR4-unixes should check that their boxes are
configured with the BSD-style behaviour of chown/chgrp. It is simply
safer in general.
Unixware 2.0x, by default, uses the old AT&T behaviour but it can be
adjusted with a single kernel tunable.
For other security reasons, I asked on comp.unix.unixware.misc how to tune
the behaviour about 2 or 3 months a go and here is a quote from the
Unixware trouble-FAQ, it consists of my question and Andrew Josey's answer
(thanks Andrew!):
--- clip ---
Subject: T41) How can I revert to the BSD form of (restricted) chown?=20
By default, chown() system call comes with the old AT&T behavior and
allows a user to change the ownership of a file he owns to that of any=20
other user on the system.
How can I modify the behavior to the BSD-form (only root can change=20
the ownership of a file)?
The BSD way is the FIPS 151-2 and XPG4 way, and indeed there is a tuneable
called RSTCHOWN. For strict conformance (and when testing for
POSIX FIPS 151-2, XPG etc) this should be set to one.
/etc/conf/bin/idtune -g RSTCHOWN will return its value.
To set it do
# /etc/conf/bin/idtune RSTCHOWN 1
# /etc/conf/bin/idbuild
and then reboot.
---
Hannu Laurila - kube@japo.fi * Kauppakatu 10, FIN-62900 ALAJ=C4RVI
Alaj=E4rven Puhelinosuuskunta * Tel +358 66 557 2209 - Fax +358 66 557 2=
788
