Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!wuarchive!decwrl!sgi!vjs@rhyolite.wpd.sgi.com
From: vjs@rhyolite.wpd.sgi.com (Vernon Schryver)
Newsgroups: comp.sys.sgi
Subject: Re: Some questions on security on an Iris 4D
Message-ID: <44588@sgi.sgi.com>
Date: 14 Nov 89 18:22:16 GMT
References: <8911140720.AA15210@explorer.dgp.toronto.edu>
Sender: vjs@rhyolite.wpd.sgi.com
Organization: Silicon Graphics, Inc., Mountain View, CA
Lines: 69

In article <8911140720.AA15210@explorer.dgp.toronto.edu>, pavel@DGP.TORONTO.EDU (Pavel Rozalski) writes:
> I was just taking a look at one of the local Iris 4D's shipped with
> IRIX 3.2 and thought I would run some find commands. Here are some
> findings and comments.
> 
> Set GID:
> 
> -rwxr-sr-x   1 root     wheel      94256 Sep 27 17:52 /etc/fuser
> ---x--s--x   1 root     wheel       8240 Sep 27 17:52 /etc/killall
> -rwxr-sr-x   1 root     wheel      61488 Sep 27 17:52 /etc/savecore
> -rwxr-sr-x   1 bin      wheel      20528 Sep 27 17:52 /etc/whodo
> 
> Probably none of the above need to be set GID - killall will only do
> stuff if the UID is root anyway.

One assumes that your "wheel" is an addition to your /etc/groups, and
is defined as 0.  If not, all of the files with group "wheel" were
changed at your site.

Killall should be sgid=sys, because it is a great program.  It will kill
anything you have permission to kill.  It is an extremely simple and
fast replacement for the usual `ps -le | grep blah-de-blah | xargs kill`

Fuser is also usefully sgid=sys.  Savecore seems a little odd, since
it should only be run by root.

> ...
> Writeable files:
> 
> drwxrwxrwx   3 root     mail     512 Nov  6 14:31 /usr/mail
> drwxrwxrwx   2 root     mail     512 Nov  6 14:31 /usr/mail/:saved

This is a bug.  They should be 775, since all of the
programs that need to muck with these directories are sgid=mail.

> -rw-rw-rw-   1 root     wheel          0 Sep 27 18:39 /usr/lib/cron/at.deny
> -rw-rw-rw-   1 root     wheel          0 Sep 27 18:39 /usr/lib/cron/cron.deny
> 
> Not sure about those two.

This is a bug, or a local problem like the following:

> -rw-rw-rw-   1 root     wheel          0 Nov  9 23:20 /usr/lib/aliases.dir
> -rw-rw-rw-   1 root     wheel       1024 Nov  9 23:20 /usr/lib/aliases.pag
> 
> Bad hole - lets average user redirect anyone's mail and get sendmail
> to run any program as daemon. Not safe. I can provide details.

This does not happen here on a machine with 3.2 installed "clean" (i.e.
the disks scrubbed).  Is it possible that some script, .profile, etc
of yours does a `umask 0`?

> I doubt if many of the above files should have the permissions they
> are shipped with. Perhaps someone at SGI could confirm which of those
> files really need to be set UID or world writeable.
> 
> Pavel Rozalski
> UUCP:         ..!uunet!dgp.toronto.edu!pavel
> Bitnet:       pavel@dgp.utoronto
> Internet/Ean: pavel@dgp.toronto.{edu,cdn}	       


Other people should comment on the other files.  In general, this is an
interesting list.


Vernon Schryver
Silicon Graphics
vjs@sgi.com