********************************************************************** DDN MGT Bulletin 64 DCA DDN Defense Communications System 08 Aug 89 Published by: DDN Network Info Center (NIC@NIC.DDN.MIL) (800) 235-3155 DEFENSE DATA NETWORK MANAGEMENT BULLETIN The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network Information Center under DCA contract as a means of communicating official policy, procedures and other information of concern to management personnel at DDN facilities. Back issues may be read through the TACNEWS server ("@n" command at the TAC) or may be obtained by FTP (or Kermit) from the SRI-NIC host [26.0.0.73 or 10.0.0.51] using login="anonymous" and password="guest". The pathname for bulletins is DDN-NEWS:DDN-MGT-BULLETIN-nn.TXT (where "nn" is the bulletin number). ********************************************************************** SECURITY PROBLEM IN SUN3 AND SUN4 UNIX - RESTORE APPLICABLE OPERATING SYSTEM: UNIX 4.0, 4.01, 4.03 running on Sun3 and Sun4 machines. PROBLEM: A serious security problem has been discovered in SunOS restore. The problem occurs because restore is setuid to root. Without going into details, is sufficient to say that this is a serious hole. All SunOS 4.0 installations should install one of the two workarounds described below. The first is preferred as it makes restore unexecutable by ordinary users, but this workaround makes it impossible to restore via a remote tape drive. If you need to restore in this way, the second workaround will limit the use of restore to a select group. WORKAROUND(1): Make restore non-setuid by becoming root and doing a chmod 750 /usr/etc/restore This makes restore non-setuid and unreadable and unexecutable by ordinary users. Making restore non-setuid affects the restore command using a remote tape drive. You will no longer be able to run a restore from another machine as an ordinary user; instead, you'll have be root to do so. (The reason for this is that the remote tape drive daemon on the machine with the tape drive expects a request on a TCP privileged port. Under SunOS, you can't get a privileged port unless you are root. By making restore non-setuid, when you run restore and request a remote tape drive, restore won't be able to get a privileged port, so the remote tape drive daemon won't talk to it.) WORKAROUND(2): If you do need to have some users run restore from remote tape drives without being root, you can use the following workaround. cd /usr/etc chgrp operator restore chmod 4550 restore This allows the use of restore by some trusted group. In this case, we used the group 'operator', but you may substitute any other group that you trust with access to the tape drive. Thus, restore is still setuid and vulnerable, but only to the people in the trusted group. The 4550 makes restore readable and executable by the group you specified, and unreadable by everyone else. CONTACTS: Call your Sun customer support representative if you have any questions. Refer to this problem by Sun's bug number 1019265. If you have difficulty reaching your representative, call the Sun Hotline at (800) USA-4SUN or (800) 872-4786 Call CERT at (412) 268-7090 for general problem information. Call SRI/NIC at 1-800-235-3155 for general information. NOTE(1): This bulletin represents the best information available at this time on this problem. As with any system modification, WORK WITH YOUR SUN REPRESENTATIVE. NOTE(2): Only those sites that run SunOS 4.0, 4.0.1, and 4.0.3 are affected. It does not appear in SunOS 3.5. NOTE(3): A user does need to have an existing account to exploit this hole; however, `GUEST' is sufficient.