2 - Solaris 2.x Patches
Description
This article is from the Security Patches FAQ, by Christopher Klaus cklaus@iss.net with numerous contributions by others.
2 - Solaris 2.x Patches
Here are some file permission problems that exist on Solaris 2.3 and maybe
exist on Solaris 2.4 that you should check and correct. Many file permission
problems are fixed with a fix-mode module in the auto-install package:
ftp.fwi.uva.nl:/pub/solaris/auto-install/* .
After each patch installation, you will need to re-run the fix-mode.
1. Problem: As distributed, /opt/SUNWdxlib contains many _world_ writeable
files, including executables. A trojan may be inserted into an
executable by any user allowing them access to the accounts of anyone
executing it.
Solution:
"find /opt/SUNWdxlib -exec chmod go-w {} \;"
Fix-modes will do a better job correcting permissions. You can do a
simple check for trojans with:
"pkgchk SUNWdxlib".
2. Problem: By default, /var/nis/{hostname}.dict is _world_ writeable.
"man -s4 nisfiles" says "This file is a dictionary that is used by the
NIS+ database to locate its files." A quick look at it will show things
like "/var/nis/{hostname}/passwd.org_dir". By changing this to, say,
"/tmp/{hostname}/passwd.org_dir", it _may_ be possible to replace the
NIS+ password (or any arbitrary) map with a bogus one. There are also
many files in /var/nis/{hostname} that are world writeable. However,
since /var/nis/{hostname} is root owned, mode 700, this shouldn't be a
problem. It also shouldn't be necessary. All the files in
/var/nis/{hostname} are world readable which is not a good way to have
shadow passwords.
Solution: By putting a "S00umask.sh" with contents "umask 022" in each
/etc/rc?.d it will make sure that all daemons will start with an umask
of 022.
The default umask really should be 022, not 0.
"strings /var/nis/{hostname}.dict" to make sure all the paths are sane,
then to correct permissions:
"chmod 644 /var/nis/{hostname}.dict"
"chmod 700 /var/nis/{hostname}"
"chmod 600 /var/nis/{hostname}/*"
3. Problem: /etc/hostname.le0 is _world_ writeable. This allows anyone to
change the address of the ethernet interface.
Solution:
"chmod 644 /etc/hostname.le0"
4. Problem: /var/statmon, /var/statmon/sm, and /var/statmon/sm.bak are
_world_ writeable directories. They are used by statd to "provide the
crash and recovery functions for the locking services of NFS. You could
trick an NFS client into thinking a server crashed.
Solution:
"find /var/statmon -exec chmod o-w {} \;"
5. Problem: The following files are _world_ writeable:
/var/adm/vold.log
/var/log/syslog*
/var/lp/logs/lpsched
/var/lp/logs/lpNet
/etc/mnttab
/etc/path_to_inst.old
/var/saf/_log
/etc/rmtab
Solution: It may not be possible to tighten up permissions on all the
world writeable files out there without breaking something. However,
it'd be a good idea to at least know what they are. Something like:
"find / -user root \( -type d -o -type f \) -perm -2 -ls"
will at least let you know which files may contain bogus information.
Checking for other than root, bin, sys, lp, etc. group writeable files
would be a good idea as well.
6. Problem: Solaris still ships /usr/kvm/crash mode 2755 which allows
anyone to read kmem.
Solution: Change permission to 0755.
7. Problem: /etc, /usr/ and /usr/sys may have mode 775 which allows groups
to write over files.
Solution: Change permissions to 755.
Continue to:
My Books
