As expected, I got a lot of email response to this question. The
answers can be summarised as:
- The rationale is that 'root' should own as little as possible.
This is not a Sun-specific problem, many vendors do this.
- Most people was inclined to think the way this has been done,
is wrong. CERT certainly seems to think so. Some said Sun would
not fix this, some said Sun would. (IMHO Sun will try to fix
known security holes, but not always at a speed others will like.)
- Nobody knew what would break if ownership was set back to root.
(Hints of possible NFS problems etc. ...)
Note: Becoming 'bin' probably isn't any easier than becoming 'root'.
On many systems it may actually be harder, since 'bin' doesn't
have a passwd, just '*' in the passwd file (which is certainly
better protection than many root passwds I've seen.)
The point is, however, that *if* you can become 'bin', than
becoming 'root' is fairly easy if any directory owned by 'bin'
contains files owned by 'root'. The owner of a directory can
do lots of stuff with any files in the directory he/she owns,
including their sub-directories, even if *they* are owned by
others.
Also, security checkers like 'cops' complain a lot about things
like this. I can of course turn the complaints off, but I'd like
to be sure *that* is secure before I do it.
The "funniest" part came in regard to the question of a Sun patch for wrong
file permissions. The answers started with:
- an email from Sun security (this was the message I had seen, also
known as 'tune0001.sh'.)
- Patch-ID# 100103-04
- Patch-ID# 100103-05
- Patch-ID# 100103-06
So some things keep changing :-) I don't think all Sun patches are worth
installing, but I think this is a patch that I'd highly recommend.
Below is an excerpt from Brad Powell's original posting to Sun security
bulletin:
--------------------------------------------------------------------------
Contributed by Brad Powell - Software Security Coordinator, Sun Corporate
Technical Escalations:
SunOS 4.1, 4.1.1: Security warning:
The SunOS 4.1 (4.1.1) OS went out with many file permissions set wrong on the
distribution (FCS) tapes. Some of these could pose potential security
problems.
Here is one such example:
/etc is owned by "bin"
"So what" you say? This seemingly harmless difference actually means that
a technically knowledgable person (with intent to "do wrong") could use this
bug to obtain read-write access to all the /etc files on any unprotected
system - e.g. a system that still has a "+" in the /etc/hosts.equiv file.
Below is a shell script that changes the "known" problems with the 4.1,
4.1.1 SunOS FCS file permissions. This script can also be retrieved via
standard (patchdb@raid.sun.com, answer centers) distribution as patch id
100103-04.
--------------------------------------------------------------------------
Regards,
Jan.
PS.
On the wish-list:
A Sun standard for distributing patches, patch description
and patch installation. Now wouldn't that be nice?
DS.
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:19 CDT