Description
This article is from the Security Patches FAQ, by Christopher Klaus cklaus@iss.net with numerous contributions by
others.
2 - SGI (Security Patches)
ftp.sgi.com and sgigate.sgi.com have a "/security" directory.
{3.3,4.0,5.0} including sendmail and lpr. lpr allowed anyone to get root
access.
Patch65 and patch34 correct vulnerability in SGI help system which enabled
users to gain root priviledges.
Standard System V MD5
Unix Unix Digital Signature
patch34.tar.Z: 11066 15627 1674 31253 2859d0debff715c5beaccd02b6bebded
patch65.tar: 63059 1220 15843 2440 af8c120f86daab9df74998b31927e397
Check for the Following: Default accounts with no passwords: 4DGifts, lp,
nuucp, demos, tutor, guest, tour
To Disable IP_Forwarding on SGI:
edit /usr/sysgen/master.d
change int ipforwarding = 1 to 0;
then recompile kernel by autoconfig -f; for IRIX 4.0.5
Remove suid from /usr/sbin/colorview
Remove suid from /usr/lib/vadmin/serial_ports on Irix 4.X
Remove suid from /usr/lib/desktop/permissions
Remove suid from /usr/bin/under
/usr/etc/arp is setgid sys in IRIX up to and including 5.2, allowing anyone
who can log into your machine to read files which should be readable only by
group 'sys'.
Remove suid from /usr/sbin/cdinstmgr
Remove suid from /etc/init.d/audio
chmod g-w /usr/bin/newgrp
/usr/sbin/printers has a bug in IRIX 5.2 (and possibly earlier 5.x versions)
which allows any user to become root.
/usr/sbin/sgihelp has a bug in IRIX 5.2 (and possibly earlier 5.x versions)
which allows any user to become root. This is so bad that the patch is
FTPable from ftp.sgi.com:/security/, and SGI is preparing a CD containing
only that patch.
The version of inst which comes with patch 34, which is required for
installation of all other patches (even those with lower numbers) saves old
versions of binaries in /var/inst/patchbase. It does not remove execution or
setuid permissions.
Irix has many built-in security knobs that you should know how to turn them
on.
Manpage Things to look for
------- ---------------------------------------------------
login setup /etc/default/login to log all attempts with
SYSLOG=ALL, add support for external authentication
programs with SITECHECK=/path/to/prog
portmap use '-a mask,match' to restrict most of the portmap
services to a subset of hosts or networks
use '-v' to log all unprivileged accesses to syslog
rshd use '-l' to disable validation using .rhosts files
use '-L' to log all access attempts to syslog
rlogind use '-l' to disable validation using .rhosts files
(beware, this was broken prior to IRIX 5.3)
fingerd use '-l' to log all connections
use '-S' to suppress information about login status,
home directory, and shell
use '-f msg-file' to make it just display that file
ipfilterd IP packet filtering daemon
Continue to:
Share and Enjoy
Bookmark this story so others can enjoy it:
Tags
security, patches
