Some questions on security on an Iris 4D

Pavel Rozalski pavel at DGP.TORONTO.EDU
Tue Nov 14 18:20:41 AEST 1989


I was just taking a look at one of the local Iris 4D's shipped with
IRIX 3.2 and thought I would run some find commands. Here are some
findings and comments.

Set GID:

-rwxr-sr-x   1 root     wheel      94256 Sep 27 17:52 /etc/fuser
---x--s--x   1 root     wheel       8240 Sep 27 17:52 /etc/killall
-rwxr-sr-x   1 root     wheel      61488 Sep 27 17:52 /etc/savecore
-rwxr-sr-x   1 bin      wheel      20528 Sep 27 17:52 /etc/whodo

Probably none of the above need to be set GID - killall will only do
stuff if the UID is root anyway.

Set UID:

-rwsrwsr-x   1 lp       bin        53296 Sep 27 17:55 /usr/lib/accept
-rwsrwsr-x   1 root     bin        69680 Sep 27 17:55 /usr/lib/lpadmin
-rwsrwsr-x   1 lp       bin        57392 Sep 27 17:55 /usr/lib/lpmove
-rwsrwsr-x   1 root     bin       102400 Sep 27 17:55 /usr/lib/lpsched
-rwsrwsr-x   1 lp       bin        49200 Sep 27 17:55 /usr/lib/lpshut
-rwsrwsr-x   1 lp       bin        53296 Sep 27 17:55 /usr/lib/reject

The above all have to do with line printer administration - since they
all should probably be run by root, there is probably no reason they
should be set UID.

-rwsrwsr-x   1 lp       bin        57392 Sep 27 17:53 /usr/bin/cancel
-rwsrwsr-x   1 lp       bin        57392 Sep 27 17:53 /usr/bin/disable
-rwsrwsr-x   1 lp       bin        12336 Sep 27 17:53 /usr/bin/enable
-rwsrwsr-x   1 lp       bin        69680 Sep 27 17:53 /usr/bin/lp
-rwsrwsr-x   1 lp       bin        65584 Sep 27 17:53 /usr/bin/lpstat

User lp commands - probably some of these need to be set UID if you
want to put up with lp and friends.

-rwsr-xr-x   1 root     wheel     151728 Sep 27 17:56 /usr/sbin/gr_osview

This works just as well when it isn't set UID (as far as I could tell).

-rwsrwsr-x   1 root     bin       471216 Sep 27 18:06 /usr/lib/vadmin/disks
-rwsr-xr-x   1 root     bin       467120 Sep 27 18:06 /usr/lib/vadmin/networking
-rwsr-xr-x   1 root     bin       438448 Sep 27 18:06 /usr/lib/vadmin/printers
-rwsrwsr-x   1 root     bin       352432 Sep 27 18:06 /usr/lib/vadmin/serial_ports
-rwsrwsr-x   1 root     bin       454832 Sep 27 18:06 /usr/lib/vadmin/users
-rwsr-xr-x   1 root     wheel      53296 Sep 27 17:53 /usr/bin/crontab
-rwsr-xr-x   1 root     wheel      77872 Nov  6 16:20 /usr/bin/under
-r-sr-xr-x   1 root     wheel      73776 Sep 27 17:54 /usr/etc/ping
-rwsr-xr-x   1 root     wheel      94208 Sep 27 17:54 /usr/etc/timedc
-rwsr-xr-x   1 root     wheel     155696 Sep 27 17:56 /usr/sbin/bru
-rwsr-xr-x   1 root     wheel     131184 Sep 27 17:56 /usr/sbin/edge
-rwsr-xr-x   1 root     bin       274608 Sep 27 18:07 /usr/sbin/systemdown
-rwsr-xr-x   1 root     bin       372912 Sep 27 18:07 /usr/sbin/vadmin

I don't know about the above. I doubt very much that edge, a debugger,
must be set UID...

Writeable files:

drwxrwxrwx   3 root     mail     512 Nov  6 14:31 /usr/mail
drwxrwxrwx   2 root     mail     512 Nov  6 14:31 /usr/mail/:saved

Do you really want to keep around a mail system that *requires*
permissions like that? Not only is mail forgery trivial but I doubt if
it is desirable to have users store their files there.

-rw-rw-rw-   1 root     wheel          0 Sep 27 18:39 /usr/lib/cron/at.deny
-rw-rw-rw-   1 root     wheel          0 Sep 27 18:39 /usr/lib/cron/cron.deny

Not sure about those two.

-rw-rw-rw-   1 root     wheel          0 Nov  9 23:20 /usr/lib/aliases.dir
-rw-rw-rw-   1 root     wheel       1024 Nov  9 23:20 /usr/lib/aliases.pag

Bad hole - lets average user redirect anyone's mail and get sendmail
to run any program as daemon. Not safe. I can provide details.

-rw-rw-rw-   1 bin      bin          652 Sep 27 18:06 /usr/sbin/IRIS_Visualizer
-rw-rw-rw-   1 bin      bin          377 Sep 27 18:07 /usr/sbin/quickmodel
-rw-rw-rw-   1 bin      bin          374 Sep 27 18:07 /usr/sbin/quickpaint
-rw-rw-rw-   1 tutor    997          910 Sep 27 17:57 /usr/tutor/getstart/textfile
-rw-rw-rw-   1 root     wheel          3 Nov  9 23:20 /etc/syslog.pid
-rw-rw-rw-   1 root     wheel          0 Nov 13 21:57 /etc/rmtab

Not sure about those.


I doubt if many of the above files should have the permissions they
are shipped with. Perhaps someone at SGI could confirm which of those
files really need to be set UID or world writeable.

Pavel Rozalski
UUCP:         ..!uunet!dgp.toronto.edu!pavel
Bitnet:       pavel at dgp.utoronto
Internet/Ean: pavel at dgp.toronto.{edu,cdn}	       



More information about the Comp.sys.sgi mailing list