[18336] in bugtraq
Re: Solaris patchadd(1) (3) symlink vulnerabilty
daemon@ATHENA.MIT.EDU (Juergen P. Meier)
Fri Dec 22 18:52:06 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20001222174733.A26052@fm.rz.fh-muenchen.de>
Date: Fri, 22 Dec 2000 17:47:33 +0100
Reply-To: jpm@class.de
From: "Juergen P. Meier" <jpm@class.de>
X-To: Peter W <peterw@usa.net>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0012210827450.10314-100000@peterw>; from
peterw@usa.net on Thu, Dec 21, 2000 at 08:55:23AM -0500
On Thu, Dec 21, 2000 at 08:55:23AM -0500, Peter W wrote:
> At 9:13am Dec 21, 2000, Paul Szabo wrote:
>
> > Juergen P. Meier <jpm@class.de> wrote:
>
> > > However: Sun Microsystems does recommend to only install
> > > patches at single-user mode (runlevel S). ...
> > > ... if you follow the Vendors recommendations, you are
> > > not vulnerable.
> >
> > The attacker can create the symlinks before you go single-user.
>
> What's the difference between taking a Unix box to single-user mode and
> asking an NT box to reboot? The former keeps that silly, precious 'uptime'
> intact so you don't lose your geek bragging rights. The reality is that
> going to single user mode means disabling the services that you set the
> box up to provide. Would anyone out there consider single-user mode time
> in their availability stats? Would you be happy if your outsourced server
> provider claimed 99.999% availability but only 99.8% was in full network /
> multiuser mode? I think not.
Well, the big differense between going single-user-mode and doing real reboot
is the time it takes to do so.
especially on really big servers (it takes tens of minutes just to reset
a sun e4500 with tons of io and other stuff), while init S takes
less than a minute.
If every minute's worth money, you quickly learn to avoid reboots.
Its not about uptime, its about downtime ;)
Even 99.999% availability does allow for a few runlevelswitches a year,
not to mention that it is very silly to talk availability without
having redundance ;)
With most big sun servers, 99.999% availability does not allow you to
reboot it, since the downtime for a single reboot would break it.
> Let's be serious about this: Sun seems to release patches at about the
> same rate as Microsoft does,[0] even if they're not as well publicized.
> Unix/Linux geeks enjoy ridiculing Windows' tendency to require reboots
> after installing hotfixes. Sun execs and marketing folks have joined in
> this game at times.[1]
Granted, most of these patches should be able to be applied in multiusermode,
so what we do need is s Fix for patchadd (we already learned from a previous
post that its not ksh's fault...)
With a fixed patchadd, those patches (that do not include kerneldrivers
or things like libc ;) should be no problem at all - again...
> Now Sun is basically saying you have to reboot when installing a patch if
> you want to be safe,[2] all because they won't fix their shell
> interpreters. This is a bad joke, and Sun should be embarassed.
not really, they just say that they recommend it, but you may do wahtever
you please.
> I wonder if anyone has had luck replacing the Solaris shell interpreters
> with something like GNU or other GPL'ed versions, e.g., replacing the
> Bourne shell with the FSF's BASH shell?
replacing /bin/sh with anything else is a really bad idea, a whole lot
of scripts _rely_ on the fact that /bin/sh (and /sbin/sh) is the good
old dumb bourne shell.
believe me, it will break a lot of things.
> -Peter
>
> [0] Solaris 8 already has 196 patches according to the 16 Dec. report.
>
> [1] http://www.canada.cnet.com/news/0-1003-200-323305.html
> "Anything more aggressive than changing a file name requires a reboot in
> Windows," [Sun CEO Scott McNealy] quipped.
>
> [2] Yes, some patches require special care, but many do not. Many single
> patches (unlike cluster bundles) do not require reboots to take effect.
(ps: i find all those Vacation notices rather amusing, they show me that
a lot of bugtraq-subscribers lack that particular sort of clue ;)
happy hollidays,
Juergen
--
Juergen P. Meier email: jpm@class.de
