[2404] in bugtraq
ufsrestore suid root not a security hole
daemon@ATHENA.MIT.EDU (Sean Vickery)
Fri Nov 17 11:45:08 1995
Date: Fri, 17 Nov 1995 14:45:45 +1000
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Sean Vickery <S.Vickery@its.gu.edu.au>
X-To: Brett Lymn <blymn@awadi.com.au>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: Your message of "Tue, 14 Nov 1995 11:05:09 +1030."
<9511140035.AA14670@bunya.awadi>
On 14 November 1995, Brett Lymn wrote:
> According to Jake Luck:
> >
> >yeah, but what about /usr/sbin/ufsrestore ?
> >
> >it is statically linked, utilizes syslog, and suid root.
> >
>
> If you are a BOFH then just kill the setuid bit on ufsrestore. It
> means that root has to do the restores but it does close an awful lot
> of holes (like someone dragging in a QIC and restoring their favourite
> version of /etc/passwd.... need I say more?). Or you could just
> remove the global rx though this may bugger up remote root users.
Yes, /usr/sbin/ufsrestore is suid root on my Solaris 2 box. But it is more
careful than to allow an unprivileged user create or overwrite files just
anywhere.
# ufsdump 0f /tmp/x.dump /etc/fs
DUMP: Writing 32 Kilobyte records
DUMP: Date of this level 0 dump: Fri Nov 17 14:33:04 1995
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/rdsk/c0t3d0s0 (chimaera:/) to /tmp/x.dump.
DUMP: Mapping (Pass I) [regular files]
DUMP: Mapping (Pass II) [directories]
DUMP: Estimated 1646 blocks (823KB).
DUMP: Dumping (Pass III) [directories]
DUMP: Dumping (Pass IV) [regular files]
DUMP: 1598 blocks (799KB) on 1 volume at 254 KB/sec
DUMP: DUMP IS DONE
# chmod 644 /tmp/x.dump
# mkdir /tmp/y
# ls -ld /tmp/y
drwxr-xr-x 2 root other 37 Nov 17 14:33 /tmp/y
$ ufsrestore rf /tmp/x.dump
./lost+found: (inode 3) not found on volume
./usr: (inode 2688) not found on volume
./opt: (inode 161334) not found on volume
Warning: ./etc: Permission denied
./etc/cron.d: (inode 10752) not found on volume
Warning: ./etc/fs: No such file or directory
Warning: ./etc/fs/hsfs: No such file or directory
Warning: ./etc/fs/nfs: No such file or directory
Warning: ./etc/fs/ufs: No such file or directory
Warning: ./etc/fs/proc: No such file or directory
[...lots of `not found on volume' as I didn't backup the whole filesystem...]
./ksc: (inode 46180) not found on volume
fopen: Permission denied
cannot create save file ./restoresymtable for symbol table
abort? [yn] y
dump core? [yn] n
$ ls -l
total 0
$ pwd
/tmp/y
So it appears that ufsrestore suid root is not a security hole. Would someone
with access to Solaris 2.x source like to tell me what ufsrestore needs to be
suid root for?
And b.t.w., Brett, what does BOFH mean?
Sean.
--
Sean Vickery <S.Vickery@its.gu.edu.au> Ph: +61 (0)7 3875 6410
Systems Programmer Information Services Griffith University
