Path: utzoo!censor!geac!jtsv16!uunet!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!DGP.TORONTO.EDU!pavel From: pavel@DGP.TORONTO.EDU (Pavel Rozalski) Newsgroups: comp.sys.sgi Subject: Some questions on security on an Iris 4D Message-ID: <8911140720.AA15210@explorer.dgp.toronto.edu> Date: 14 Nov 89 07:20:41 GMT Sender: daemon@ucbvax.BERKELEY.EDU Reply-To: pavel@dgp.toronto.edu Organization: The Internet Lines: 95 I was just taking a look at one of the local Iris 4D's shipped with IRIX 3.2 and thought I would run some find commands. Here are some findings and comments. Set GID: -rwxr-sr-x 1 root wheel 94256 Sep 27 17:52 /etc/fuser ---x--s--x 1 root wheel 8240 Sep 27 17:52 /etc/killall -rwxr-sr-x 1 root wheel 61488 Sep 27 17:52 /etc/savecore -rwxr-sr-x 1 bin wheel 20528 Sep 27 17:52 /etc/whodo Probably none of the above need to be set GID - killall will only do stuff if the UID is root anyway. Set UID: -rwsrwsr-x 1 lp bin 53296 Sep 27 17:55 /usr/lib/accept -rwsrwsr-x 1 root bin 69680 Sep 27 17:55 /usr/lib/lpadmin -rwsrwsr-x 1 lp bin 57392 Sep 27 17:55 /usr/lib/lpmove -rwsrwsr-x 1 root bin 102400 Sep 27 17:55 /usr/lib/lpsched -rwsrwsr-x 1 lp bin 49200 Sep 27 17:55 /usr/lib/lpshut -rwsrwsr-x 1 lp bin 53296 Sep 27 17:55 /usr/lib/reject The above all have to do with line printer administration - since they all should probably be run by root, there is probably no reason they should be set UID. -rwsrwsr-x 1 lp bin 57392 Sep 27 17:53 /usr/bin/cancel -rwsrwsr-x 1 lp bin 57392 Sep 27 17:53 /usr/bin/disable -rwsrwsr-x 1 lp bin 12336 Sep 27 17:53 /usr/bin/enable -rwsrwsr-x 1 lp bin 69680 Sep 27 17:53 /usr/bin/lp -rwsrwsr-x 1 lp bin 65584 Sep 27 17:53 /usr/bin/lpstat User lp commands - probably some of these need to be set UID if you want to put up with lp and friends. -rwsr-xr-x 1 root wheel 151728 Sep 27 17:56 /usr/sbin/gr_osview This works just as well when it isn't set UID (as far as I could tell). -rwsrwsr-x 1 root bin 471216 Sep 27 18:06 /usr/lib/vadmin/disks -rwsr-xr-x 1 root bin 467120 Sep 27 18:06 /usr/lib/vadmin/networking -rwsr-xr-x 1 root bin 438448 Sep 27 18:06 /usr/lib/vadmin/printers -rwsrwsr-x 1 root bin 352432 Sep 27 18:06 /usr/lib/vadmin/serial_ports -rwsrwsr-x 1 root bin 454832 Sep 27 18:06 /usr/lib/vadmin/users -rwsr-xr-x 1 root wheel 53296 Sep 27 17:53 /usr/bin/crontab -rwsr-xr-x 1 root wheel 77872 Nov 6 16:20 /usr/bin/under -r-sr-xr-x 1 root wheel 73776 Sep 27 17:54 /usr/etc/ping -rwsr-xr-x 1 root wheel 94208 Sep 27 17:54 /usr/etc/timedc -rwsr-xr-x 1 root wheel 155696 Sep 27 17:56 /usr/sbin/bru -rwsr-xr-x 1 root wheel 131184 Sep 27 17:56 /usr/sbin/edge -rwsr-xr-x 1 root bin 274608 Sep 27 18:07 /usr/sbin/systemdown -rwsr-xr-x 1 root bin 372912 Sep 27 18:07 /usr/sbin/vadmin I don't know about the above. I doubt very much that edge, a debugger, must be set UID... Writeable files: drwxrwxrwx 3 root mail 512 Nov 6 14:31 /usr/mail drwxrwxrwx 2 root mail 512 Nov 6 14:31 /usr/mail/:saved Do you really want to keep around a mail system that *requires* permissions like that? Not only is mail forgery trivial but I doubt if it is desirable to have users store their files there. -rw-rw-rw- 1 root wheel 0 Sep 27 18:39 /usr/lib/cron/at.deny -rw-rw-rw- 1 root wheel 0 Sep 27 18:39 /usr/lib/cron/cron.deny Not sure about those two. -rw-rw-rw- 1 root wheel 0 Nov 9 23:20 /usr/lib/aliases.dir -rw-rw-rw- 1 root wheel 1024 Nov 9 23:20 /usr/lib/aliases.pag Bad hole - lets average user redirect anyone's mail and get sendmail to run any program as daemon. Not safe. I can provide details. -rw-rw-rw- 1 bin bin 652 Sep 27 18:06 /usr/sbin/IRIS_Visualizer -rw-rw-rw- 1 bin bin 377 Sep 27 18:07 /usr/sbin/quickmodel -rw-rw-rw- 1 bin bin 374 Sep 27 18:07 /usr/sbin/quickpaint -rw-rw-rw- 1 tutor 997 910 Sep 27 17:57 /usr/tutor/getstart/textfile -rw-rw-rw- 1 root wheel 3 Nov 9 23:20 /etc/syslog.pid -rw-rw-rw- 1 root wheel 0 Nov 13 21:57 /etc/rmtab Not sure about those. I doubt if many of the above files should have the permissions they are shipped with. Perhaps someone at SGI could confirm which of those files really need to be set UID or world writeable. Pavel Rozalski UUCP: ..!uunet!dgp.toronto.edu!pavel Bitnet: pavel@dgp.utoronto Internet/Ean: pavel@dgp.toronto.{edu,cdn}