-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Erik-Jan Bos)                      Index  :    S-93-05
Distribution  : SURFnet constituency                        Page   :          1
Classification: External                                    Version:      Final
Subject       : SunOS File/Directory Permissions            Date   :  05-Feb-93
===============================================================================

The default permissions on a number of files and directories in SunOS
4.1, 4.1.1, 4.1.2, and 4.1.3 are set incorrectly.  These problems are
relevant for the sun3, sun3x, sun4, sun4c, and sun4m architectures.
They have been fixed in SunOS 5.0.  (Note that SunOS 5.0 is the operating
system included in the Solaris 2.0 software distribution.)

An updated patch to reset these permissions is available from Sun.
CERT-NL has received information that an increasing number of attackers
exploit these problems on systems and we encourage sites to consider
installing this patch.

Please note that this patch was also mentioned in CERT-NL Security
Advisory S-92-20 under item A. Sites that applied this patch after
reading S-92-20 are advised to recheck their systems, since new OS
installation may have undone this patch.

- -----------------------------------------------------------------------------

I.   Description

     File permissions on numerous files were set incorrectly in the
     distribution tape of 4.1.x.  A typical example is that a file which
     should have been owned by "root" was set to be owned by "bin".

     Not all sites will need or want to install the patch for this problem.
     The decision of what user id should own most system files and
     directories depends on the administrative practices of the site.
     It is quite reasonable to run a system where the majority
     of files are owned by "bin" as long as the entire system is run in
     a manner consistent with that practice.  As distributed, the SunOS
     configuration expects most system files to be owned by "root".
     The fact that some are not creates security problems.

     Therefore, sites that are running the SunOS versions listed above
     as distributed should install the patch described below.
     Sites that have made an informed choice to configure their system
     differently may instead want to review the patch script and
     consider which, if any, of the changes should be made on their system.

II.  Impact

     Depending on the specific configuration of the local site,
     the default permissions may allow local users to gain "root" access.

III. Solution

     1) Sun has provided a script to reset file and directory permissions
        to their correct values.  The script is available in Sun's
	Patch #100103 version 11.  This patch can be obtained via
	local Sun Answer Centers worldwide as well as through
	anonymous FTP from ftp.nic.surfnet.nl [192.87.46.2] system
	in the netman/cert-nl/sun-fixes directory.

              Patch ID     Filename             Checksum
              100103-11    100103-11.tar.Z      19847   6

        Please note that Sun Microsystems sometimes updates patch files.
        If you find that the checksum is different please contact
        Sun Microsystems or CERT-NL for verification.

     2) Uncompress the file, extract the contents of the tar archive,
        and review the README file.

             % uncompress 100103-11.tar.Z
             % tar xfv 100103-11.tar
             % cat README

     3) This patch will reset the group ownership of certain files to
        either "staff" or "bin".  Make sure you have entries in
        the "/etc/group" file for these accounts.

             % grep '^staff:' /etc/group
             % grep '^bin:' /etc/group
        
        If you do not have both of these you will need to either add the
        missing account(s) or modify the patch script (4.1secure.sh)
        to reflect group ownerships appropriate for your site.
        (Note that the security problems are fixed by the ownerships and
        mode bits specified in the patch - not by the group ownerships.
        Therefore, changing the group ownerships does not invalidate
        the patch.)

     4) As "root", run the patch script.

              # sh 4.1secure.sh

        This patch fixes Sun BugId's 1046817, 1047044, 1048142, 1054480,
	1037153, 1039292, and 1042662.

     5) The patch script will set "/usr/kvm/crash" to mode 02700 owned
        by "root".  While this is not insecure, since only "root" can run
	the program, CERT recommends that the setgid bit be removed to
	prevent abuse if world execute permission were to be added
	some time later.
	
	As "root", make "/usr/kvm/crash" not a set-group-id program.

             # chmod 755 /usr/kvm/crash


==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WATSYjBqwfc9jEQLleACfS94gvvqB4qpJVx63X1oXRCgol68AoKRM
NsxqRKu0UrgIoXTmbh9bcNAW
=eDiw
-----END PGP SIGNATURE-----