du.4.0e.var.perms.txt

1999-08-17T00:00:00
ID PACKETSTORM:12002
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Sun, 4 Apr 1999 20:31:12 +0300  
From: Harhalakis Stefanos <v13@AETOS.IT.TEITHE.GR>  
To: BUGTRAQ@netspace.org  
Subject: Digital Unix 4.0E /var permission  
  
On Digital Unix 4.0E with the latest patch kit aplied, after a new  
installation /var has g+w for group system. Anyone that can crack any  
account with gid==system may exploit this (not tested but there should be  
no problem with mv'ing /var/sbin, /var/adm etc etc..). It seems that CDE  
is forcing g+w to /var.. The whole thing is done while executing  
/sbin/rc3.d/S95xlogin and only if CDE is selected.  
  
<<V13>>  
  
-------------------------------------------------------------------------  
  
Date: Tue, 6 Apr 1999 10:47:26 +0200  
From: Jochen Thomas Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE>  
To: BUGTRAQ@netspace.org  
Subject: Re: Digital Unix 4.0E /var permission  
  
Hello,  
  
On Sun, 4 Apr 1999 Harhalakis Stefanos wrote:  
>On Digital Unix 4.0E with the latest patch kit aplied, after a new  
>installation /var has g+w for group system.  
  
This problem seems to exist in other versions of Digital Unix, too.  
At least on Digital Unix 4.0c and 4.0d (Factory Installed Software,  
no patches applied, CDE in use) /var, which in my case is a link to  
/usr/var, has  
  
drwxrwxr-x 28 root system 512 Feb 11 12:58 /usr/var/  
  
permissions. However, on Digital Unix 4.0b (Patch kit DUV40BAS00008-  
19980821 applied, Software installed from CD, CDE in use) /usr/var  
has  
  
drwxr-xr-x 23 root system 512 Feb 11 1998 /usr/var/  
  
permissions.  
  
>The whole thing is done while executing /sbin/rc3.d/S95xlogin and  
>only if CDE is selected.  
  
This does not seem to be the case for Digital Unix 4.0c and 4.0d.  
There is no chmod of /var in /sbin/rc3.d/S95xlogin.  
  
>Anyone that can crack any account with gid==system may exploit this  
>(not tested but there should be no problem with mv'ing /var/sbin,  
>/var/adm etc etc..).  
  
Or do the following:  
CDE's Xconfig file is a link from /var/dt/Xconfig to the actual config  
file. Moving /var/dt and creating your own /var/dt, you could replace  
the system Xconfig file with your own version which has the session  
manager specification  
  
Dtlogin*session: /usr/dt/bin/Xsession  
  
replaced with something more evil. Then just wait for root to  
log in on the console....  
  
--  
Jochen Bauer  
Institute for Theoretical Physics  
University of Stuttgart  
Germany  
  
PGP public key available from:  
http://www.theo2.physik.uni-stuttgart.de/jtb.html  
  
-------------------------------------------------------------------------  
  
Date: Tue, 6 Apr 1999 10:18:28 -0500  
From: implosion <implosion@BROKEN.NE.MEDIAONE.NET>  
To: BUGTRAQ@netspace.org  
Subject: Re: Digital Unix 4.0E /var permission  
  
First of all, under Digital UNIX, the system group is the group that is  
'pseudo-root', i.e. have near root privilages and are allowed to su into  
root. /var, which under a default install, is a sym-link to /usr/var,  
contains all of the system accounting files, LSM, and other system  
specific files that all System Administrators would need to run thier  
system. So, it is only logical that system have write permissions to that  
directory.  
Also, one should note that any system administrator should (and  
would, I would hope), only put _secure_ accounts in the system group, i.e.  
any account that is going to utilize a safe password and those accounts  
are not going to have set-uid or gid executables attached to them.  
One more note: as an ls -la of /sbin/rc3.d would show you,  
S95xlogin is only a sym-link to /sbin/init.d/xlogin. The S95 is there so  
when init comes up to run level 3, it will start (the S tells it that),  
and the 95 is placed there to put it in order - you add a numeric number  
to the front of the executable, so when the rc3 script processes  
/sbin/rc3.d, it gets launched after certain daemons and programs that need  
to be running in order for it to start. To the best of my knowledge,  
xlogin isnt doing anything to the /var permissions.  
  
-Implosion  
  
  
On Sun, 4 Apr 1999, Harhalakis Stefanos wrote:  
  
> On Digital Unix 4.0E with the latest patch kit aplied, after a new  
> installation /var has g+w for group system. Anyone that can crack any  
> account with gid==system may exploit this (not tested but there should be  
> no problem with mv'ing /var/sbin, /var/adm etc etc..). It seems that CDE  
> is forcing g+w to /var.. The whole thing is done while executing  
> /sbin/rc3.d/S95xlogin and only if CDE is selected.  
>  
> <<V13>>  
>  
  
-------------------------------------------------------------------------  
  
Date: Wed, 7 Apr 1999 07:43:02 +1000  
From: Paul Szabo <psz@MATHS.USYD.EDU.AU>  
To: BUGTRAQ@netspace.org  
Subject: Re: Digital Unix 4.0E /var permission  
  
Jochen Thomas Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE> writes:  
> On Sun, 4 Apr 1999 Harhalakis Stefanos wrote:  
>> On Digital Unix 4.0E with the latest patch kit aplied, after a new  
>> installation /var has g+w for group system.  
> This problem seems to exist in other versions of Digital Unix, too.  
  
True. I solved this by not having any users in the system group.  
  
>> The whole thing is done while executing /sbin/rc3.d/S95xlogin and  
>> only if CDE is selected.  
> This does not seem to be the case for Digital Unix 4.0c and 4.0d.  
> There is no chmod of /var in /sbin/rc3.d/S95xlogin.  
  
I guess it is done within /usr/dt/bin/dtlogin.  
  
Beware also of permissions on /var/dt. In my /sbin/init.d/xlogin I have  
inserted (within the function StartDisplayManager(), after the line  
'$X_DISPLAY_MANAGER -daemon $CONFIG_OPTION'):  
  
### Change by PSz on 12 Nov 96  
### Stupid /usr/dt/bin/dtlogin uses 'chmod 777 /var/dt'. This is bad...  
### Also watch out for /usr/dt/config/Xsession.d/0030.dttmpdir  
chmod 755 /var/dt > /dev/null 2>&1  
# Sleep to make sure dtlogin is finished, do again  
sleep 10  
chmod 755 /var/dt > /dev/null 2>&1  
### End of change  
  
Paul Szabo - System Manager // School of Mathematics and Statistics  
psz@maths.usyd.edu.au // University of Sydney, NSW 2006, Australia  
  
-------------------------------------------------------------------------  
  
Date: Wed, 7 Apr 1999 02:56:40 +0200  
From: Harhalakis Stefanos <v13@AETOS.IT.TEITHE.GR>  
To: BUGTRAQ@netspace.org  
Subject: Re: Digital Unix 4.0E /var permission  
  
I don't think tha having more than one 'root passwords' is secure.  
If you want someone to have root privileges give him the root password.  
In any other case you want him to not be albe to become root..  
  
For the xlogin.. I did not say anything different than yours.. Anyway  
As far as i remember in clogin there is an if that looks if you want cde  
or xdm. If cde is selected , then one of the programs/scripts that is  
executed is changing the permissions. This is NOT from the OS, but from  
the window manager... I don't think that CDE may judge whether or not /var  
needs g+w, unless it realy need this...  
I thought that the way the scripts are called and the link-staff  
was not relative and was known.... Nothing new there..  
And one more thing.. If you decide to use a different partition  
for /var, then it is not a symlink to /usr/var, but /usr/var is  
a symlink to /var.. (This was our case)  
  
<<V13>>  
  
p.s. In the original mail I wrote /var/sbin.... which was a mistake..  
  
On Tue, 6 Apr 1999, implosion wrote:  
  
> First of all, under Digital UNIX, the system group is the group that is  
> 'pseudo-root', i.e. have near root privilages and are allowed to su into  
> root. /var, which under a default install, is a sym-link to /usr/var,  
> contains all of the system accounting files, LSM, and other system  
> specific files that all System Administrators would need to run thier  
> system. So, it is only logical that system have write permissions to that  
> directory.  
> Also, one should note that any system administrator should (and  
> would, I would hope), only put _secure_ accounts in the system group, i.e.  
> any account that is going to utilize a safe password and those accounts  
> are not going to have set-uid or gid executables attached to them.  
> One more note: as an ls -la of /sbin/rc3.d would show you,  
> S95xlogin is only a sym-link to /sbin/init.d/xlogin. The S95 is there so  
> when init comes up to run level 3, it will start (the S tells it that),  
> and the 95 is placed there to put it in order - you add a numeric number  
> to the front of the executable, so when the rc3 script processes  
> /sbin/rc3.d, it gets launched after certain daemons and programs that need  
> to be running in order for it to start. To the best of my knowledge,  
> xlogin isnt doing anything to the /var permissions.  
>  
> -Implosion  
>  
>  
> On Sun, 4 Apr 1999, Harhalakis Stefanos wrote:  
>  
> > On Digital Unix 4.0E with the latest patch kit aplied, after a new  
> > installation /var has g+w for group system. Anyone that can crack any  
> > account with gid==system may exploit this (not tested but there should be  
> > no problem with mv'ing /var/sbin, /var/adm etc etc..). It seems that CDE  
> > is forcing g+w to /var.. The whole thing is done while executing  
> > /sbin/rc3.d/S95xlogin and only if CDE is selected.  
> >  
> > <<V13>>  
> >  
>  
  
`