FOR OFFICIAL DEPARTMENT OF ENERGY USE ONLY
        _____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                         Information Bulletin

             Increasing Security on Your UNICOS System

March 5, 1100 PST                                          Number B-17

                     Critical UNICOS Information
________________________________________________________________________
PROBLEM:   Some UNICOS systems have not installed all patches that may
have security implications 
PLATFORM: Many versions of the Cray UNICOS operating system 
DAMAGE:  Possibility that some UNICOS systems are not operating as
securely as possible 
SOLUTIONS:  Install UNICOS patches that apply to your version of UNICOS
_______________________________________________________________________


CIAC has been working with Cray Research Corporation as well as Cray
users in the DOE community to determine which basic set of UNICOS
patches provides a baseline level of security in UNICOS systems.  The
patches described below have been identified as important in assuring
that this baseline level has been met.  Some of these patches have been
the subject of Cray alert bulletins (Cray Field Alerts), each of which
(if applicable) will be referenced as each patch is identified.  You
may contact Cray for additional information in obtaining, installing,
and assuring that these patches have been installed on your UNICOS
system.

The mods listed below are Cray binary files available to correct each
described problem.  These mods are available on the crayamid system.
Each UNICOS mod has a unique identification.  For example, Cray mod
d15567cmda) and is appropriate to specific versions of the UNICOS
operating system.  Unless otherwise stated, the mod will apply to the
entire family of Cray hardware,  including Cray-1, X-MP, Y-MP, and
Cray-2.

1.  Cray mod d15567cmda, UNICOS version 5.0/5.1

Modifies the command /bin/du  .  Alternatively, removing the SETUID bit
from the /bin/du command by executing the following command as root
will effectively replace the need for the above mod:

  chmod 0755 /bin/du

2.  Cray mod d18028, UNICOS version 5.0/5.1

Modifies the command /etc/nu.  This mod has been integrated in the
baseline operating system for  Cray-1/XMP/YMP at version 5.1.8d and
Version 5.1.8 for Cray-2.  For more details, see Cray Field Alert #93.

3.  Cray mod e13159utsa, UNICOS version 4.0, 4.EA, 5.0

This patch was the subject of Cray Field Alert #72.  The patch modifies
the read/write and reada/writea system calls.  A copy of the mod may be
found on the crayamid system under
/u/mods/unicos_x/5.0/uts/e13159utsa.

4.  Limited buffer space in the kernel for some entries.  

This problem has been corrected with the following mods.  CIAC
recommends that you install any mods that apply to your system.

UNICOS 5.1:  XMP    d19646utsa
    Cray-2          d19647inca
    XMP, Cray-2  d19648tcpa
UNICOS 6.0  XMP    60uts07182a
    XMP    60uts07187a
    XMP, Cray-2  60uts07186a
    Cray-2          60uts07184a
UNICOS 6.1  XMP    61uts07182a
    XMP    61uts07187a
    XMP,Cray-2  61uts07186a
    Cray-2          61uts07184a

CIAC recommends that you install any mods (listed above) appropriate to
your UNICOS system.  In addition, you should upgrade your version of
UNICOS to the most recent available, since many improvements to the
security of your system have been integrated into the most recent base
operating system.

For additional information or assistance, please contact CIAC:   
 
  Tom Longstaff
  (415) 423-4416 or (FTS) 543-4416, or

  Eugene Schultz
  (415) 422-7781 or (FTS) 532-7781

  Call CIAC at (415) 422-8193 or (FTS) 532-8193 or send 
        e-mail to ciac@cheetah.llnl.gov

  Send FAX messages to:  (415) 423-0913 or (FTS) 543-0913

Karis Forster and Chuck Athey provided information contained in this
bulletin.  Neither the United States Government nor the University of
California nor any of their employees, makes any warranty, expressed
or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe
privately owned rights.  Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer,
or otherwise, does not necessarily constitute or imply its
endorsement, recommendation, or favoring by the United States
Government or the University of California.  The views and opinions of
authors expressed herein do not necessarily state or reflect those of
the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.