OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: Solaris 7 and solaris 8 file permissions

Re: Solaris 7 and solaris 8 file permissions

Subject: Re: Solaris 7 and solaris 8 file permissions
From: Casper Dik (casperHOLLAND.SUN.COM)
Date: Mon Jan 24 2000 - 03:06:57 CST

>pa:/var/adm$ ls -ld spellhist
>-rw-rw-rw- 1 bin bin 0 Dec 15 07:28 spellhist

The purpose of the spellhist file is to record all mispellings by all
users. This file is supposed to be worldwritable.

"chmod 644 /var/adm/spellhist" will cause this:

 spell
tee: /var/adm/spellhist: Permission denied

Of course, this feature of spell is highly questionable ($HOME/.spellhist)
would appear to be more reasonable.

>pa:/var/adm$ ls -ld vold.log
>-rw-rw-rw- 1 root root 3063 Jan 22 00:48 vold.log

The default umask of 0 causes this; in Solaris 8 the default umask is 022.

>
>There are dangerous write permissions on logging files in Solaris 7 and
>Solaris 8. In Solaris 8, the issue with vold.log has been
>corrected. The spellhist file, however, still uses the same permissions as
>Solaris 7 did. Granted this issue wont result in a root
>compromise it does allow for users to fill up the /var partition without
>having root access.
>
>(Yes, I know /var/tmp exists and would allow for the same thing.)
>
>Solution:
>
>Have SUN distributed Solaris 8 with the permissions fixed on the spellhist
>file or rely on the administrators of the systems to fix the permissions
>themselves.

Since /var/tmp, /var/mail and other files are writable in /var, it's always
possible to overflow /var. (Atjobs probably have no size limit either).

Casper

This archive was generated by hypermail 2b27 : Mon Jan 24 2000 - 19:14:03 CST