Some questions on security on an Iris 4D
Vernon Schryver
vjs at rhyolite.wpd.sgi.com
Wed Nov 15 05:22:16 AEST 1989
In article <8911140720.AA15210 at explorer.dgp.toronto.edu>, pavel at DGP.TORONTO.EDU (Pavel Rozalski) writes:
> I was just taking a look at one of the local Iris 4D's shipped with
> IRIX 3.2 and thought I would run some find commands. Here are some
> findings and comments.
>
> Set GID:
>
> -rwxr-sr-x 1 root wheel 94256 Sep 27 17:52 /etc/fuser
> ---x--s--x 1 root wheel 8240 Sep 27 17:52 /etc/killall
> -rwxr-sr-x 1 root wheel 61488 Sep 27 17:52 /etc/savecore
> -rwxr-sr-x 1 bin wheel 20528 Sep 27 17:52 /etc/whodo
>
> Probably none of the above need to be set GID - killall will only do
> stuff if the UID is root anyway.
One assumes that your "wheel" is an addition to your /etc/groups, and
is defined as 0. If not, all of the files with group "wheel" were
changed at your site.
Killall should be sgid=sys, because it is a great program. It will kill
anything you have permission to kill. It is an extremely simple and
fast replacement for the usual `ps -le | grep blah-de-blah | xargs kill`
Fuser is also usefully sgid=sys. Savecore seems a little odd, since
it should only be run by root.
> ...
> Writeable files:
>
> drwxrwxrwx 3 root mail 512 Nov 6 14:31 /usr/mail
> drwxrwxrwx 2 root mail 512 Nov 6 14:31 /usr/mail/:saved
This is a bug. They should be 775, since all of the
programs that need to muck with these directories are sgid=mail.
> -rw-rw-rw- 1 root wheel 0 Sep 27 18:39 /usr/lib/cron/at.deny
> -rw-rw-rw- 1 root wheel 0 Sep 27 18:39 /usr/lib/cron/cron.deny
>
> Not sure about those two.
This is a bug, or a local problem like the following:
> -rw-rw-rw- 1 root wheel 0 Nov 9 23:20 /usr/lib/aliases.dir
> -rw-rw-rw- 1 root wheel 1024 Nov 9 23:20 /usr/lib/aliases.pag
>
> Bad hole - lets average user redirect anyone's mail and get sendmail
> to run any program as daemon. Not safe. I can provide details.
This does not happen here on a machine with 3.2 installed "clean" (i.e.
the disks scrubbed). Is it possible that some script, .profile, etc
of yours does a `umask 0`?
> I doubt if many of the above files should have the permissions they
> are shipped with. Perhaps someone at SGI could confirm which of those
> files really need to be set UID or world writeable.
>
> Pavel Rozalski
> UUCP: ..!uunet!dgp.toronto.edu!pavel
> Bitnet: pavel at dgp.utoronto
> Internet/Ean: pavel at dgp.toronto.{edu,cdn}
Other people should comment on the other files. In general, this is an
interesting list.
Vernon Schryver
Silicon Graphics
vjs at sgi.com
More information about the Comp.sys.sgi
mailing list