**********************************************************************
DDN MGT Bulletin 64 DCA DDN Defense Communications System
08 Aug 89 Published by: DDN Network Info Center
(
[email protected]) (800) 235-3155
DEFENSE DATA NETWORK
MANAGEMENT BULLETIN
The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network
Information Center under DCA contract as a means of communicating
official policy, procedures and other information of concern to
management personnel at DDN facilities. Back issues may be read
through the TACNEWS server ("@n" command at the TAC) or may be
obtained by FTP (or Kermit) from the SRI-NIC host [26.0.0.73 or
10.0.0.51] using login="anonymous" and password="guest". The pathname
for bulletins is DDN-NEWS:DDN-MGT-BULLETIN-nn.TXT (where "nn" is the
bulletin number).
**********************************************************************
SECURITY PROBLEM IN SUN3 AND SUN4 UNIX - RESTORE
APPLICABLE OPERATING SYSTEM: UNIX 4.0, 4.01, 4.03 running on Sun3 and
Sun4 machines.
PROBLEM: A serious security problem has been discovered in SunOS
restore. The problem occurs because restore is setuid to
root. Without going into details, is sufficient to say
that this is a serious hole. All SunOS 4.0 installations
should install one of the two workarounds described below.
The first is preferred as it makes restore unexecutable by
ordinary users, but this workaround makes it impossible to
restore via a remote tape drive. If you need to restore in
this way, the second workaround will limit the use of restore
to a select group.
WORKAROUND(1): Make restore non-setuid by becoming root and doing a
chmod 750 /usr/etc/restore
This makes restore non-setuid and unreadable and
unexecutable by ordinary users.
Making restore non-setuid affects the restore command
using a remote tape drive. You will no longer be able to
run a restore from another machine as an ordinary user;
instead, you'll have be root to do so. (The reason for
this is that the remote tape drive daemon on the machine
with the tape drive expects a request on a TCP privileged
port. Under SunOS, you can't get a privileged port unless
you are root. By making restore non-setuid, when you run
restore and request a remote tape drive, restore won't be
able to get a privileged port, so the remote tape drive
daemon won't talk to it.)
WORKAROUND(2): If you do need to have some users run restore from
remote tape drives without being root, you can use the
following workaround.
cd /usr/etc
chgrp operator restore
chmod 4550 restore
This allows the use of restore by some trusted group.
In this case, we used the group 'operator', but you may
substitute any other group that you trust with access
to the tape drive. Thus, restore is still setuid and
vulnerable, but only to the people in the trusted group.
The 4550 makes restore readable and executable by the group
you specified, and unreadable by everyone else.
CONTACTS: Call your Sun customer support representative if you have
any questions. Refer to this problem by Sun's bug number
1019265. If you have difficulty reaching your
representative, call the Sun Hotline at
(800) USA-4SUN or (800) 872-4786
Call CERT at (412) 268-7090 for general problem information.
Call SRI/NIC at 1-800-235-3155 for general information.
NOTE(1): This bulletin represents the best information available
at this time on this problem. As with any system
modification, WORK WITH YOUR SUN REPRESENTATIVE.
NOTE(2): Only those sites that run SunOS 4.0, 4.0.1, and 4.0.3 are
affected. It does not appear in SunOS 3.5.
NOTE(3): A user does need to have an existing account to exploit
this hole; however, `GUEST' is sufficient.
Downloaded From P-80 International Information Systems 304-744-2253
