Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-01

Bugtraq Archives: Solaris 7 and solaris 8 file permissions

Solaris 7 and solaris 8 file permissions

Subject: Solaris 7 and solaris 8 file permissions
From: Steve Dispensa (dispensaMAVERICK.MWIS.NET)
Date: Sat Jan 22 2000 - 13:52:21 CST

Next message: what's your style?: "remote root qmail-pop with vpopmail advisory and exploit with patch"
Previous message: Maniac .: "Re: FW: Security Vulnerability with SMS 2.0 Remote Control"
Next in thread: Casper Dik: "Re: Solaris 7 and solaris 8 file permissions"
Reply: Casper Dik: "Re: Solaris 7 and solaris 8 file permissions"
Reply: Jonathan [no, I don't write for /.] Katz: "Re: Solaris 7 and solaris 8 file permissions"
Reply: Darren Moffat - Solaris Sustaining Engineering: "Re: Solaris 7 and solaris 8 file permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Problem:

SOLARIS 7:

pa:/var/adm$ ls -ld spellhist
-rw-rw-rw- 1 bin bin 0 Dec 15 07:28 spellhist
pa:/var/adm$ ls -ld vold.log
-rw-rw-rw- 1 root root 3063 Jan 22 00:48 vold.log
pa:/var/adm$ uname -a
SunOS pa.hick.org 5.7 Generic sun4m sparc SUNW,SPARCstation-5
pa:/var/adm$ echo "Hmmm, neat, that's nice of SUN to let me write to these
files in /var/adm." >> spellhist
pa:/var/adm$ echo "Let's get rid of the vold.log, shall we?" > vold.log
pa:/var/adm$ cat spellhist
Hmmm, neat, that's nice of SUN to let me write to these files in /var/adm.
pa:/var/adm$ cat vold.log
Let's get rid of the vold.log, shall we?
pa:/var/adm$ id
uid=100(mmiller) gid=10(staff)
pa:/var/adm$

SOLARIS 8:

viper:/var/adm$ ls -ld spellhist
-rw-rw-rw- 1 root bin 0 Jan 12 16:38 spellhist
viper:/var/adm$ id
uid=1003(mmiller) gid=10(staff)
viper:/var/adm$ uname -a
SunOS viper 5.8 Beta_Refresh i86pc i386 i86pc
viper:/var/adm$

Summary:

There are dangerous write permissions on logging files in Solaris 7 and
Solaris 8. In Solaris 8, the issue with vold.log has been
corrected. The spellhist file, however, still uses the same permissions as
Solaris 7 did. Granted this issue wont result in a root
compromise it does allow for users to fill up the /var partition without
having root access.

(Yes, I know /var/tmp exists and would allow for the same thing.)

Solution:

Have SUN distributed Solaris 8 with the permissions fixed on the spellhist
file or rely on the administrators of the systems to fix the permissions
themselves.

Matt Miller
Afro Productions Cherry Blue Team
mmillerexpire.net
http://www.afro-productions.com
by way of Steve Dispensa

Next message: what's your style?: "remote root qmail-pop with vpopmail advisory and exploit with patch"
Previous message: Maniac .: "Re: FW: Security Vulnerability with SMS 2.0 Remote Control"
Next in thread: Casper Dik: "Re: Solaris 7 and solaris 8 file permissions"
Reply: Casper Dik: "Re: Solaris 7 and solaris 8 file permissions"
Reply: Jonathan [no, I don't write for /.] Katz: "Re: Solaris 7 and solaris 8 file permissions"
Reply: Darren Moffat - Solaris Sustaining Engineering: "Re: Solaris 7 and solaris 8 file permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Sun Jan 23 2000 - 15:36:18 CST