Problem: SOLARIS 7: pa:/var/adm$ ls -ld spellhist -rw-rw-rw- 1 bin bin 0 Dec 15 07:28 spellhist pa:/var/adm$ ls -ld vold.log -rw-rw-rw- 1 root root 3063 Jan 22 00:48 vold.log pa:/var/adm$ uname -a SunOS pa.hick.org 5.7 Generic sun4m sparc SUNW,SPARCstation-5 pa:/var/adm$ echo "Hmmm, neat, that's nice of SUN to let me write to these files in /var/adm." >> spellhist pa:/var/adm$ echo "Let's get rid of the vold.log, shall we?" > vold.log pa:/var/adm$ cat spellhist Hmmm, neat, that's nice of SUN to let me write to these files in /var/adm. pa:/var/adm$ cat vold.log Let's get rid of the vold.log, shall we? pa:/var/adm$ id uid=100(mmiller) gid=10(staff) pa:/var/adm$ SOLARIS 8: viper:/var/adm$ ls -ld spellhist -rw-rw-rw- 1 root bin 0 Jan 12 16:38 spellhist viper:/var/adm$ id uid=1003(mmiller) gid=10(staff) viper:/var/adm$ uname -a SunOS viper 5.8 Beta_Refresh i86pc i386 i86pc viper:/var/adm$ Summary: There are dangerous write permissions on logging files in Solaris 7 and Solaris 8. In Solaris 8, the issue with vold.log has been corrected. The spellhist file, however, still uses the same permissions as Solaris 7 did. Granted this issue wont result in a root compromise it does allow for users to fill up the /var partition without having root access. (Yes, I know /var/tmp exists and would allow for the same thing.) Solution: Have SUN distributed Solaris 8 with the permissions fixed on the spellhist file or rely on the administrators of the systems to fix the permissions themselves. Matt Miller Afro Productions Cherry Blue Team mmillerat_private http://www.afro-productions.com by way of Steve Dispensa
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:51 PDT