[147] in Back_Bay_LISA
Re: Sun security problem (fwd)
daemon@ATHENA.MIT.EDU (JR Oldroyd)
Fri Feb 5 11:12:39 1993
To: bblisa@inset.com
Date: Fri Feb 5 11:05:36 EST 1993
From: "JR Oldroyd" <jr@inset.com>
--- Forwarded letter from ebersman@uunet.uu.net follows:
> From ebersman@uunet.uu.net Thu Feb 4 16:57:46 1993
> X-Delivered: at request of adamm on garlic
> Date: Thu, 4 Feb 93 14:31:20 -0500
> From: ebersman@uunet.uu.net (Paul Ebersman)
> Message-Id: <9302041931.AA25417@cfmartin.UU.NET>
> To: alter-ops@uunet.UU.NET
> Subject: Sun security problem
> Organization: UUNET Technologies, Inc.
>
>
> I'm not sure how many of you get the CERT advisories, but since so
> many people have Suns, I thought you'd rather see multiple copies of
> this notice than none.
>
> --
> Paul
> ------- Start of forwarded message -------
>
> - -----------------------------------------------------------------------------
> CA-93:03 CERT Advisory
> February 3, 1993
> SunOS File/Directory Permissions
> - -----------------------------------------------------------------------------
>
> The default permissions on a number of files and directories in SunOS
> 4.1, 4.1.1, 4.1.2, and 4.1.3 are set incorrectly. These problems are
> relevant for the sun3, sun3x, sun4, sun4c, and sun4m architectures.
> They have been fixed in SunOS 5.0. (Note that SunOS 5.0 is the operating
> system included in the Solaris 2.0 software distribution.)
>
> An updated patch to reset these permissions is available from Sun.
> CERT has seen an increasing number of attackers exploit these problems
> on systems and we encourage sites to consider installing this patch.
>
> - -----------------------------------------------------------------------------
>
> I. Description
>
> File permissions on numerous files were set incorrectly in the
> distribution tape of 4.1.x. A typical example is that a file which
> should have been owned by "root" was set to be owned by "bin".
>
> Not all sites will need or want to install the patch for this problem.
> The decision of what user id should own most system files and
> directories depends on the administrative practices of the site.
> It is quite reasonable to run a system where the majority
> of files are owned by "bin" as long as the entire system is run in
> a manner consistent with that practice. As distributed, the SunOS
> configuration expects most system files to be owned by "root".
> The fact that some are not creates security problems.
>
> Therefore, sites that are running the SunOS versions listed above
> as distributed should install the patch described below.
> Sites that have made an informed choice to configure their system
> differently may instead want to review the patch script and
> consider which, if any, of the changes should be made on their system.
>
> II. Impact
>
> Depending on the specific configuration of the local site,
> the default permissions may allow local users to gain "root" access.
>
> III. Solution
>
> 1) Sun has provided a script to reset file and directory permissions
> to their correct values. The script is available in Sun's
> Patch #100103 version 11. This patch can be obtained via
> local Sun Answer Centers worldwide as well as through
> anonymous FTP from the ftp.uu.net (137.39.1.9) system
> in the /systems/sun/sun-dist directory.
>
> Patch ID Filename Checksum
> 100103-11 100103-11.tar.Z 19847 6
>
> Please note that Sun Microsystems sometimes updates patch files.
> If you find that the checksum is different please contact
> Sun Microsystems or CERT for verification.
>
> 2) Uncompress the file, extract the contents of the tar archive,
> and review the README file.
>
> % uncompress 100103-11.tar.Z
> % tar xfv 100103-11.tar
> % cat README
>
> 3) This patch will reset the group ownership of certain files to
> either "staff" or "bin". Make sure you have entries in
> the "/etc/group" file for these accounts.
>
> % grep '^staff:' /etc/group
> % grep '^bin:' /etc/group
>
> If you do not have both of these you will need to either add the
> missing account(s) or modify the patch script (4.1secure.sh)
> to reflect group ownerships appropriate for your site.
> (Note that the security problems are fixed by the ownerships and
> mode bits specified in the patch - not by the group ownerships.
> Therefore, changing the group ownerships does not invalidate
> the patch.)
>
> 4) As "root", run the patch script.
>
> # sh 4.1secure.sh
>
> This patch fixes Sun BugId's 1046817, 1047044, 1048142, 1054480,
> 1037153, 1039292, and 1042662.
>
> 5) The patch script will set "/usr/kvm/crash" to mode 02700 owned
> by "root". While this is not insecure, since only "root" can run
> the program, CERT recommends that the setgid bit be removed to
> prevent abuse if world execute permission were to be added
> some time later.
>
> As "root", make "/usr/kvm/crash" not a set-group-id program.
>
> # chmod 755 /usr/kvm/crash
>
> - ---------------------------------------------------------------------------
>
> If you believe that your system has been compromised, contact the CERT
> Coordination Center or your representative in FIRST (Forum of Incident
> Response and Security Teams).
>
> Internet E-mail: cert@cert.org
> Telephone: 412-268-7090 (24-hour hotline)
> CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
> on call for emergencies during other hours.
>
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh, PA 15213-3890
>
> Past advisories, information about FIRST representatives, and other
> information related to computer security are available for anonymous FTP
> from cert.org (192.88.209.5).
>
> ------- End of forwarded message -------
>
--- End of forwarded letter
--
Send mail for the `bblisa' mailing list to `bblisa@inset.com'.
Send list subscription requests to `bblisa-request@inset.com'.
