[18317] in bugtraq
Re: Solaris patchadd(1) (3) symlink vulnerabilty
daemon@ATHENA.MIT.EDU (Cy Schubert - ITSD Open Systems Gr)
Fri Dec 22 05:25:34 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <200012220116.eBM1Gow75363@cwsys.cwsent.com>
Date: Thu, 21 Dec 2000 17:16:40 -0800
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@UUMAIL.GOV.BC.CA>
X-To: "Juan M. Courcoul" <courcoul@CAMPUS.QRO.ITESM.MX>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Wed, 20 Dec 2000 23:27:25 CST."
<3A4194BD.916CC630@campus.qro.itesm.mx>
In message <3A4194BD.916CC630@campus.qro.itesm.mx>, "Juan M. Courcoul"
writes:
> "Juergen P. Meier" wrote:
> ...
> >
> > However: Sun Microsystems does recommend to only install
> > patches at single-user mode (runlevel S). So no other
> > possibly malicious user can exploit this ksh behaviour.
>
> True single-user mode, meaning the state of the machine after it starts with
> a
> 'boot -s' is, indeed, the safest state in which to apply patches, especially
> those that have systemwide consequences. However, application patches can be
> cautiously applied, like Sun recommends, "with the system with a minimum of
> activity".
>
> ...
> >
> > Always do init S before applying solaris patches. (especially
> > if you do kernel or devicedriver patches, check your readme's).
>
> Unless you are running a recent (>= Solaris 7) version, I would emphatically
> recommend that you shut the machine down, start it with a 'boot -s', and then
> apply your recommended patches in THIS single-user mode. My experience with
> previous versions (we've been running Solaris hosts since 2.3) is that 'init
> S'
> does not garantee that all multiuser processes get killed, since not all of
> these have the corresponding Kxxx shutdown scripts in the appropiate rcX.d
> directory. Sure, users do get booted out, but the processes continue running
> happily, so you can still find yourself in a pickle.
One thing I used to do when I installed patches myself was to copy the
system disk to another disk, mounted on /foobar. Then chroot to
/foobar while in multi-user state and install patches there and boot
from the /foobar disk, because installpatch -R did not work for a
period of time. As I've delegated patch installation, I suspect that
patchadd should be able to handle this as well. Make sure that
/foobar's permissions are 700 or better yet make sure that foobar is
mounted under a directory who's permissions are 700.
This has the added benefit a simple backout procedure if you need to
back out a set of patches quickly.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC
