The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / zines / a_m / ciac.b2 < prev next >

Wrap

Text File | 2003-06-11 | 4.9 KB | 213 lines

_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Informational Bulletin UNIX Security Problem with Silicon Graphics Mail October 12, 1990, 0800 PST Number B-2 CIAC has been learned of a security problem with the Berkeley Mailer supplied by Silicon Graphics. The program /usr/sbin/Mail on IRIX 3.3 and later releases sets the setgid bit. This allows users to read any mail on the system, including mail to root. To determine if your system has this problem you should execute: ls -l /usr/sbin/Mail A line similar to the following should be displayed: -rwxr-sr-x 1 bin mail 172080 Jun 7 15:05 /usr/sbin/Mail Look at the permission bits. If you see, "-rwxr-sr-x" then the problem exists on your system. There are several potential solutions for this problem. Alternative 1 - Workaround Execute the following command as root: chmod 755 /usr/sbin/Mail Then after doing a ls -l you should see: -rwxr-xr-x 1 bin mail 172080 Jun 7 15:05 /usr/sbin/Mail This workaround has one known side effect. The Mail program can no longer remove the user's mail file from /usr/mail when all messages have been deleted. Instead, it leaves a zero length file. If you choose this solution, please be aware that the fixed binary will be available in the next release of IRIX (3.3.2, currently scheduled for November, 1990). Alternative 2 - Obtain and install the fixed binary A better solution is to download the fixed binary from sgi.com. Silicon Graphics has made a new executable available to fix this problem. It is available for anonymous ftp from sgi.com, or from your local Silicon Graphics sales representative. Contact the SGI hotline for more information. (The bug number is alpha bug AF19315). If you are not certain how to ftp to sgi.com and properly install the binary, use the following commands: cd /usr/sbin - The directory that Mail is in chmod 755 /usr/sbin/Mail - Remove the setgid bit mv /usr/sbin/Mail /usr/sbin/Mail.org - Rename Mail ftp 192.48.153.1 - ftp to sgi.com and get the new binary, name: anonymous - login as anonymous password: guest - password guest ftp> bin - Set binary mode ftp> cd sgi/Mail - The Mail directory ftp> get Mail - Get the new binary ftp> quit - quit ftp chmod 2755 Mail - Make sure permissions are correct chgrp mail Mail - Make sure group is correct chown bin Mail - Make sure owner is correct For additional information or assistance, please contact CIAC David Brown (415) 423-9878 or (FTS) 543-9878 FAX: (415) 423-0913 or (FTS) 543-0913 or send e-mail to: ciac@tiger.llnl.gov The assistance of Kevin E. Leininger and Matt Wicks of Fermi National Accelerator Laboratory and Chuck Athey and Ross Guant of Lawrence Livermore National Laboratory is gratefully acknowledged. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.