Some questions on security on an Iris 4D
Pavel Rozalski
pavel at DGP.TORONTO.EDU
Tue Nov 14 18:20:41 AEST 1989
I was just taking a look at one of the local Iris 4D's shipped with
IRIX 3.2 and thought I would run some find commands. Here are some
findings and comments.
Set GID:
-rwxr-sr-x 1 root wheel 94256 Sep 27 17:52 /etc/fuser
---x--s--x 1 root wheel 8240 Sep 27 17:52 /etc/killall
-rwxr-sr-x 1 root wheel 61488 Sep 27 17:52 /etc/savecore
-rwxr-sr-x 1 bin wheel 20528 Sep 27 17:52 /etc/whodo
Probably none of the above need to be set GID - killall will only do
stuff if the UID is root anyway.
Set UID:
-rwsrwsr-x 1 lp bin 53296 Sep 27 17:55 /usr/lib/accept
-rwsrwsr-x 1 root bin 69680 Sep 27 17:55 /usr/lib/lpadmin
-rwsrwsr-x 1 lp bin 57392 Sep 27 17:55 /usr/lib/lpmove
-rwsrwsr-x 1 root bin 102400 Sep 27 17:55 /usr/lib/lpsched
-rwsrwsr-x 1 lp bin 49200 Sep 27 17:55 /usr/lib/lpshut
-rwsrwsr-x 1 lp bin 53296 Sep 27 17:55 /usr/lib/reject
The above all have to do with line printer administration - since they
all should probably be run by root, there is probably no reason they
should be set UID.
-rwsrwsr-x 1 lp bin 57392 Sep 27 17:53 /usr/bin/cancel
-rwsrwsr-x 1 lp bin 57392 Sep 27 17:53 /usr/bin/disable
-rwsrwsr-x 1 lp bin 12336 Sep 27 17:53 /usr/bin/enable
-rwsrwsr-x 1 lp bin 69680 Sep 27 17:53 /usr/bin/lp
-rwsrwsr-x 1 lp bin 65584 Sep 27 17:53 /usr/bin/lpstat
User lp commands - probably some of these need to be set UID if you
want to put up with lp and friends.
-rwsr-xr-x 1 root wheel 151728 Sep 27 17:56 /usr/sbin/gr_osview
This works just as well when it isn't set UID (as far as I could tell).
-rwsrwsr-x 1 root bin 471216 Sep 27 18:06 /usr/lib/vadmin/disks
-rwsr-xr-x 1 root bin 467120 Sep 27 18:06 /usr/lib/vadmin/networking
-rwsr-xr-x 1 root bin 438448 Sep 27 18:06 /usr/lib/vadmin/printers
-rwsrwsr-x 1 root bin 352432 Sep 27 18:06 /usr/lib/vadmin/serial_ports
-rwsrwsr-x 1 root bin 454832 Sep 27 18:06 /usr/lib/vadmin/users
-rwsr-xr-x 1 root wheel 53296 Sep 27 17:53 /usr/bin/crontab
-rwsr-xr-x 1 root wheel 77872 Nov 6 16:20 /usr/bin/under
-r-sr-xr-x 1 root wheel 73776 Sep 27 17:54 /usr/etc/ping
-rwsr-xr-x 1 root wheel 94208 Sep 27 17:54 /usr/etc/timedc
-rwsr-xr-x 1 root wheel 155696 Sep 27 17:56 /usr/sbin/bru
-rwsr-xr-x 1 root wheel 131184 Sep 27 17:56 /usr/sbin/edge
-rwsr-xr-x 1 root bin 274608 Sep 27 18:07 /usr/sbin/systemdown
-rwsr-xr-x 1 root bin 372912 Sep 27 18:07 /usr/sbin/vadmin
I don't know about the above. I doubt very much that edge, a debugger,
must be set UID...
Writeable files:
drwxrwxrwx 3 root mail 512 Nov 6 14:31 /usr/mail
drwxrwxrwx 2 root mail 512 Nov 6 14:31 /usr/mail/:saved
Do you really want to keep around a mail system that *requires*
permissions like that? Not only is mail forgery trivial but I doubt if
it is desirable to have users store their files there.
-rw-rw-rw- 1 root wheel 0 Sep 27 18:39 /usr/lib/cron/at.deny
-rw-rw-rw- 1 root wheel 0 Sep 27 18:39 /usr/lib/cron/cron.deny
Not sure about those two.
-rw-rw-rw- 1 root wheel 0 Nov 9 23:20 /usr/lib/aliases.dir
-rw-rw-rw- 1 root wheel 1024 Nov 9 23:20 /usr/lib/aliases.pag
Bad hole - lets average user redirect anyone's mail and get sendmail
to run any program as daemon. Not safe. I can provide details.
-rw-rw-rw- 1 bin bin 652 Sep 27 18:06 /usr/sbin/IRIS_Visualizer
-rw-rw-rw- 1 bin bin 377 Sep 27 18:07 /usr/sbin/quickmodel
-rw-rw-rw- 1 bin bin 374 Sep 27 18:07 /usr/sbin/quickpaint
-rw-rw-rw- 1 tutor 997 910 Sep 27 17:57 /usr/tutor/getstart/textfile
-rw-rw-rw- 1 root wheel 3 Nov 9 23:20 /etc/syslog.pid
-rw-rw-rw- 1 root wheel 0 Nov 13 21:57 /etc/rmtab
Not sure about those.
I doubt if many of the above files should have the permissions they
are shipped with. Perhaps someone at SGI could confirm which of those
files really need to be set UID or world writeable.
Pavel Rozalski
UUCP: ..!uunet!dgp.toronto.edu!pavel
Bitnet: pavel at dgp.utoronto
Internet/Ean: pavel at dgp.toronto.{edu,cdn}
More information about the Comp.sys.sgi
mailing list