Historical Documents Authorized Users of "CERT" Vulnerability Notes Database Vulnerability Disclosure Policy Courses

CERT^® Advisory CA-1993-03 SunOS File/Directory Permissions

Original issue date: February 3, 1993
Last revised: September 19, 1997
Attached copyright statement

A complete revision history is at the end of this file.

The default permissions on a number of files and directories in SunOS 4.1, 4.1.1, 4.1.2, and 4.1.3 are set incorrectly. These problems are relevant for the sun3, sun3x, sun4, sun4c, and sun4m architectures. They have been fixed in SunOS 5.0. (Note that SunOS 5.0 is the operating system included in the Solaris 2.0 software distribution.)

An updated patch to reset these permissions is available from Sun. CERT has seen an increasing number of attackers exploit these problems on systems and we encourage sites to consider installing this patch.

I. Description

File permissions on numerous files were set incorrectly in the distribution tape of 4.1.x. A typical example is that a file which should have been owned by "root" was set to be owned by "bin".

Not all sites will need or want to install the patch for this problem. The decision of what user id should own most system files and directories depends on the administrative practices of the site. It is quite reasonable to run a system where the majority of files are owned by "bin" as long as the entire system is run in a manner consistent with that practice. As distributed, the SunOS configuration expects most system files to be owned by "root". The fact that some are not creates security problems.

Therefore, sites that are running the SunOS versions listed above as distributed should install the patch described below. Sites that have made an informed choice to configure their system differently may instead want to review the patch script and consider which, if any, of the changes should be made on their system.

II. Impact

Depending on the specific configuration of the local site, the default permissions may allow local users to gain "root" access.

III. Solution

Sun has provided a script to reset file and directory permissions to their correct values. The script is available in Sun's Patch #100103 version 11. This patch can be obtained via local Sun Answer Centers worldwide as well as through anonymous FTP from the ftp.uu.net (137.39.1.9) system in the /systems/sun/sun-dist directory.
```
     Patch ID     Filename             Checksum
     100103-11    100103-11.tar.Z      19847   6
```
Please note that Sun Microsystems sometimes updates patch files. If you find that the checksum is different please contact Sun Microsystems or CERT for verification.
Uncompress the file, extract the contents of the tar archive, and review the README file.
```
     % uncompress 100103-11.tar.Z
     % tar xfv 100103-11.tar
     % cat README
```
This patch will reset the group ownership of certain files to either "staff" or "bin". Make sure you have entries in the "/etc/group" file for these accounts.
```
     % grep '^staff:' /etc/group
     % grep '^bin:' /etc/group
```
If you do not have both of these you will need to either add the missing account(s) or modify the patch script (4.1secure.sh) to reflect group ownerships appropriate for your site. (Note that the security problems are fixed by the ownerships and mode bits specified in the patch - not by the group ownerships. Therefore, changing the group ownerships does not invalidate the patch.)
As "root", run the patch script.
```
     # sh 4.1secure.sh
```
This patch fixes Sun BugId's 1046817, 1047044, 1048142, 1054480, 1037153, 1039292, and 1042662.
The patch script will set "/usr/kvm/crash" to mode 02700 owned by "root". While this is not insecure, since only "root" can run the program, CERT recommends that the setgid bit be removed to prevent abuse if world execute permission were to be added some time later.
As "root", make "/usr/kvm/crash" not a set-group-id program.
```
     # chmod 755 /usr/kvm/crash
```

This document is available from: http://www.cert.org/advisories/CA-1993-03.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Revision History

September 19,1997  Attached Copyright Statement