ufsrestore suid root not a security hole

Sean Vickery (S.Vickery@its.gu.edu.au)
Fri, 17 Nov 1995 14:45:45 +1000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Casper Dik: "Re: SunOS syslog() fix, finally..."
Previous message: Brett Lymn: "Re: SunOS syslog() fix, finally..."
In reply to: Brett Lymn: "Re: SunOS syslog() fix, finally..."
Next in thread: Casper Dik: "Re: SunOS syslog() fix, finally..."

On 14 November 1995, Brett Lymn wrote:
> According to Jake Luck:
> >
> >yeah, but what about /usr/sbin/ufsrestore ?
> >
> >it is statically linked, utilizes syslog, and suid root.
> >
>
> If you are a BOFH then just kill the setuid bit on ufsrestore.  It
> means that root has to do the restores but it does close an awful lot
> of holes (like someone dragging in a QIC and restoring their favourite
> version of /etc/passwd.... need I say more?).  Or you could just
> remove the global rx though this may bugger up remote root users.

Yes, /usr/sbin/ufsrestore is suid root on my Solaris 2 box.  But it is more
careful than to allow an unprivileged user create or overwrite files just
anywhere.

    # ufsdump 0f /tmp/x.dump /etc/fs
      DUMP: Writing 32 Kilobyte records
      DUMP: Date of this level 0 dump: Fri Nov 17 14:33:04 1995
      DUMP: Date of last level 0 dump: the epoch
      DUMP: Dumping /dev/rdsk/c0t3d0s0 (chimaera:/) to /tmp/x.dump.
      DUMP: Mapping (Pass I) [regular files]
      DUMP: Mapping (Pass II) [directories]
      DUMP: Estimated 1646 blocks (823KB).
      DUMP: Dumping (Pass III) [directories]
      DUMP: Dumping (Pass IV) [regular files]
      DUMP: 1598 blocks (799KB) on 1 volume at 254 KB/sec
      DUMP: DUMP IS DONE
    # chmod 644 /tmp/x.dump
    # mkdir /tmp/y
    # ls -ld /tmp/y
    drwxr-xr-x   2 root     other         37 Nov 17 14:33 /tmp/y

    $ ufsrestore rf /tmp/x.dump
    ./lost+found: (inode 3) not found on volume
    ./usr: (inode 2688) not found on volume
    ./opt: (inode 161334) not found on volume
    Warning: ./etc: Permission denied
    ./etc/cron.d: (inode 10752) not found on volume
    Warning: ./etc/fs: No such file or directory
    Warning: ./etc/fs/hsfs: No such file or directory
    Warning: ./etc/fs/nfs: No such file or directory
    Warning: ./etc/fs/ufs: No such file or directory
    Warning: ./etc/fs/proc: No such file or directory
    [...lots of `not found on volume' as I didn't backup the whole filesystem...]
    ./ksc: (inode 46180) not found on volume
    fopen: Permission denied
    cannot create save file ./restoresymtable for symbol table
    abort? [yn] y
    dump core? [yn] n
    $ ls -l
    total 0
    $ pwd
    /tmp/y

So it appears that ufsrestore suid root is not a security hole.  Would someone
with access to Solaris 2.x source like to tell me what ufsrestore needs to be
suid root for?

And b.t.w., Brett, what does BOFH mean?

Sean.
--
Sean Vickery <S.Vickery@its.gu.edu.au>   Ph: +61 (0)7 3875 6410
Systems Programmer   Information Services   Griffith University

Next message: Casper Dik: "Re: SunOS syslog() fix, finally..."
Previous message: Brett Lymn: "Re: SunOS syslog() fix, finally..."
In reply to: Brett Lymn: "Re: SunOS syslog() fix, finally..."
Next in thread: Casper Dik: "Re: SunOS syslog() fix, finally..."