Seeing that snap uses the /tmp/ibmsupt/general directory. I created the directory as a normal user first on AIX 4.2.1. Then I did a touch on /tmp/ibmsupt/general/passwd. Once the passwd file was created I then did tail -f /tmp/ibmsupt/general/passwd. In another session I logged in as root and ran snap -a. This caused the contents of the /etc/security/passwd to show up in my tail command. The way I see it, this could be a major security breach. I suggest not using snap. -----Original Message----- From: Brian Hauber [SMTP:hauberat_private] Sent: Friday, February 19, 1999 5:51 PM To: BUGTRAQat_private Subject: Re: snap utility for AIX. On Wed, Feb 17, 1999 at 10:17:08AM -0500, Larry W. Cashdollar wrote: > My friend actually brought this to my attention, the snap command is a > diagnostic utlitiy for gathering system information on AIX platforms. > It can only be executed by root, but it copies various system files into > /tmp/ibmsupt/ > under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. > The danger here is if a system administrator executes snap -a as sometimes > requested by IBM support while diagnosing a problem it defeats password > shadowing. I would think that snap would create the directory 700 > root:root. Yes, /tmp/ibmsupt is created with 755 permissions however what you neglected to check was the permissions on /tmp/ibmsupt/general/passwd I took the liberty of running 'snap -a' on our systems here at varying levels and here are the results: ------------------------------------------------------------------------------- 3.2.5.1 with 3.2.5.1-02 Maintenance Level # ls -ld /tmp/ibmsupt drwxr-xr-x 17 root system 512 Feb 18 02:08 /tmp/ibmsupt/ HOWEVER # ls -ld /tmp/ibmsupt/general/passwd -rw------- 1 root security 1585 Feb 9 05:45 /tmp/ibmsupt/general/passwd ------------------------------------------------------------------------------- 4.1.5 BASE # ls -ld /tmp/ibmsupt drwxr-xr-x 15 root system 512 Feb 18 14:05 /tmp/ibmsupt/ HOWEVER # ls -ld /tmp/ibmsupt/general/passwd -rw------- 1 root security 645 Feb 15 15:22 /tmp/ibmsupt/general/passwd ------------------------------------------------------------------------------- 4.1.5 with 4.1.5-01 Maintenance Level # ls -ld /tmp/ibmsupt drwxr-xr-x 15 root system 512 Feb 18 14:05 /tmp/ibmsupt/ HOWEVER # ls -ld /tmp/ibmsupt/general/passwd -rw------- 1 root system 2183 Feb 18 10:09 /tmp/ibmsupt/general/passwd -------------------------------------------------------------------------------- 4.2.1 BASE # ls -ld /tmp/ibmsupt drwxr-xr-x 15 root system 512 Feb 18 14:05 /tmp/ibmsupt/ HOWEVER # ls -ld /tmp/ibmsupt/general/passwd -rw------- 1 root security 645 Feb 15 15:22 /tmp/ibmsupt/general/passwd -------------------------------------------------------------------------------- 4.2.1 with 4.2.1-03 Maintenance Level # ls -ld /tmp/ibmsupt drwxr-xr-x 15 root system 512 Feb 18 14:05 /tmp/ibmsupt/ HOWEVER # ls -ld /tmp/ibmsupt/general/passwd -rw------- 1 root security 645 Feb 15 15:22 /tmp/ibmsupt/general/passwd -------------------------------------------------------------------------------- 4.3.1 BASE # ls -ld /tmp/ibmsupt drwxr-xr-x 18 root system 512 Feb 18 12:03 /tmp/ibmsupt/ HOWEVER # ls -ld /tmp/ibmsupt/general/passwd -rw------- 1 root security 1210 Feb 18 10:55 /tmp/ibmsupt/general/passwd -------------------------------------------------------------------------------- 4.3.2 BASE # ls -ld /tmp/ibmsupt drwx------ 18 root system 512 Feb 18 14:02 /tmp/ibmsupt/ -------------------------------------------------------------------------------- This "problem" seems to have been fixed at 4.3.2. -- Brian Hauber | AIX Support Line | E-mail: hauberat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:09 PDT