Re: finger-bombing, abuse timeout
jsz (jsz@ramon.bgu.ac.il)
Sat, 15 Oct 94 14:38:41 IST
>
> > ObBug: The shell escape from 'crash' on SunOS... file descriptors are
> > left open to /dev/kmem and /dev/mem, among other things.
> >
> > % crash
> > dumpfile = /dev/mem, ....
> > > !/bin/sh
> > % strings <&9 >/tmp/out &
> > % id
> > .... egid=2(kmem) ....
> >
> > Ooops. I understated the problem.
>
> Yeh. Regarding fixes, I checked - the shell script available from Sun
> as a patch to fix the FCS permissions does fix the permissions on crash
> so only root can run it. I checked my machine, and it was not world
> executable (or anything). I had run that fixit script some time ago.
> It is DEFINITELY a good thing to run, and then you can follow up and
> fix stuff like newsyslog (which it doesn't fix). The thing is designed
> so one can add any files to a list built in, with fields for perms,
> type, owner, group, the whole thing. In fact, I have been playing
> catch-up and any file I alter the perms on to lock things down, I add
> to the thing, so on a new install, I only need to run it. There is a
> BUNCH of stuff owned by bin (/etc, /dev, most of the system subdirs) that
> are changed to root by the script - a must do on a box that exports stuff
> via NFS.
>
Same problem (with both crash(1) and improperly set permissions) exists in
Solaris 1.1.1 through 5.4, but weirdly 100103-12 patch (script to change file
permissions to a more secure mode) seems to be integrated into 4.1.3_U1
(Solaris 1.1.1), and is NOT listed in a list of "security patches" that
I have obtained from sunsolve a week ago. I found a rather cute script
to change file permissions for Solaris 2.2 & 2.3 by Casper Dik, ftpable
from ftp.fwi.uva.nl:/pub/solaris, I think it can be used for Solaris 2.4
as well, since the permissions are not fixed in 2.4 release either.
Regards
---