_____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                         Information Bulletin

May 15, 1991, 1500 PDT                                     Number B-25

          Configuration Problems in the NeXT Operating System

_______________________________________________________________________
PROBLEM:   Three separate configuration problems exist in the NeXT 
   operating system.
PLATFORM:  NeXT computers using all NeXT Software Releases through and
   including Release 2.1.
DAMAGE:    May allow unauthorized or unintended access to system resources.
SOLUTIONS: Implement enclosed configuration modifications described below 
   if warranted by the needs of your operational environment. 
______________________________________________________________________

CIAC has been informed of three separate configuration problems in the 
NeXT operating system that can affect the security of these systems:

1.  rexd(8C), the remote program execution daemon, is enabled by default.

The NeXT remote program execution daemon, rexd(8C), allows remote users
to execute processes on a NeXT computer.  It is enabled by default.
The rexd server provides only minimal authentication and is often not
enabled by sites concerned about security.  No software provided by
NeXT is known to use rexd.  Therefore, unless you currently use the
rexd facility, CIAC recommends that you comment out the line in the
Internet services daemon's configuration file (note 1).  To do this,
login to your NeXT computer as the root user.  You should be prompted
by a system prompt that ends in the character "#".  Edit the file
/etc/inetd.conf and locate the line:

  rexd/1         stream  rpc/tcp wait root /usr/etc/rpc.rexd     rpc.rexd

Then, insert a "#" character before rexd/1 to change the line to the 
following:

  #rexd/1         stream  rpc/tcp wait root /usr/etc/rpc.rexd     rpc.rexd

Save this file and return to the root system prompt.  Then either reboot 
your system (note 2) or instruct inetd to use the updated /etc/inetd.conf 
by entering the following command:

  kill -HUP <inetd_pid>

where <inetd_pid> is the process identifier for inetd that can be found
by entering the command:

  ps -aux | grep inetd | grep -v grep

The number displayed in the second column is your <inetd_pid>.

2.  The NeXT supplied username "me" is a member of the "wheel" group.

A user who logs into a NeXT computer using the username "me"
can use the su(8) command to become the root user.  Although the user 
must still enter the root password, CIAC believes that you should be 
aware of this default configuration because "me" is the only user 
account (besides "root") supplied with a NeXT computer.  (The "me" and
"root" accounts are also supplied without passwords.  Please ensure
that you properly password these accounts after your initial bootup.) 
To remove this potential problem, edit the /etc/group file as the root 
user to remove "me" from the "wheel" group.  Change the line:

  wheel:*:0:root,me

  to

  wheel:*:0:root

and save your changes.  You will need to reboot your NeXT computer 
because this file is only read during system bootstrap.

3.  The "wheel" group has write permission on /private/etc

Default permissions on the /private/etc directory allow all 
members of the group "wheel" to remove and add files to that  
directory, although this does not constitute a serious problem.  To
remove group write permission from /private/etc, enter the following 
command as root:

  chmod g-w /private/etc

_____
     1  This modification is unnecessary in releases earlier than 2.0
   because the program invoked by inetd via this configuration file
   (/usr/etc/rpc.rexd  or /usr/etc/rexd) is not preloaded on versions
   earlier than 2.0 (exception--Version 0.9--please call us for more
   information about this version).  You may, however, nevertheless
   want to make this modification to assure yourself or other system
   managers that rexd is disabled.  

     2  Changes specified in the next section of this bulletin also
   require a reboot.  Therefore, if you intend to implement these
   additional modifications as well, you need to reboot only once after
   all changes are applied.


For additional information or assistance, please contact CIAC:   
 
  Kenneth L. Pon
  (415) 422-1783 or (FTS) 532-1783
        pon@cheetah.llnl.gov

  During working hours call CIAC at (415) 422-8193 or (FTS)
  532-8193 or send e-mail to ciac@cheetah.llnl.gov.  

  Send FAX messages to:  (415) 423-0913 or (FTS) 543-0913.

The Computer Emergency Response Team/Coordination Center (CERT/CC) and
Alan Marcum provided some of the information contained in this
bulletin.  This document was prepared as an account of work sponsored
by an agency of the United States Government. Neither the United States
Government nor the University of California nor any of their employees,
makes any warranty, express or implied, or assumes any legal liability
or responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights. Reference
herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by the
United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government or the University of
California, and shall not be used for advertising or product
endorsement purposes.