TUCoPS :: SunOS/Solaris :: ciac-sun.txt

SunOS Restore


________________________________________________________________
		THE COMPUTER INCIDENT ADVISORY CAPABILITY

 				CIAC

			ADVISORY    NOTICE
________________________________________________________________


       Announcement of Vulnerability in the SunOS Restore Utility

The Computer Incident Advisory Capability (CIAC) has learned of a vulnerability
in SunOS.  This vulnerability is in the restore utility.  Because restore is
setuid to root, it allows an ordinary user to obtain unauthorized privileges.  
This vulnerability is found in all SunOS 4.x systems (4.0, 4.0.1, and 4.0.3). 
This vulnerability can, however, be exploited by only users who have an account
on a SunOS 4.x system. 

Sun Microsystems is aware of this vulnerability (Sun Bug 1019265) and is 
developing a permanent solution in a future SunOS release.  However, until
this fix is available,  you should install one of two temporary fixes:

Temporary Solution 1:  Make restore non-setuid, using the following 
workaround:

	chmod 750 /usr/etc/restore

This solution is appropriate for systems that do restore locally and uses 
the root account to do restores.  It eliminates the vulnerability in restore.  
However, in addition to making store non-setuid, this solution makes restore
unreadable and non-executable by ordinary (non-root) users, and restricts the
use of remote restore by these users.  For example, with SunOS, a user who is
not root cannot get a privileged port.  If temporary solution 1 has been
implemented, an ordinary user who requests a remote tape drive to do restore
would discover that restore would be unable to obtain a privileged port. 
Therefore, the remote tape drive would not work. 

Temporary Solution 2:  Using the following workaround:

	cd /usr/etc
	chgrp operator restore
	chmod 4550 restore

You should use this solution if you do remote restore outside of the root 
account.  You may substitute "operator" with any other group that contains 
the users you want to use restore. The group "operator" is a default group 
on SunOS 4.x. With this method, restore still is still setuid and vulnerable, 
but you will have an accountable group of users who can use restore.  The 
4550 makes restore readable and executable by root and the group you specified,
and unreadable by everyone else.  Thus, this solution does not totally disable 
the remote restore capability, but allows designated user groups to have 
this capability.

In addition, as a security prevention measurement, we suggest that you restrict 
the accessability of dump.  The "dump" utility, the partner of restore, is 
frequently used to do backups on a system.  Restore is used to extract the 
files that dump has stored on tape.  CIAC's recommendation is to make dump
unreadable, non-executable and unwriteable to everyone by using the following 
workaround: 

	chmod 6750 /usr/etc/dump

This will restrict access of dump by allowing its use only by root and the
group to which dump belongs (eg. operator, staff, or wheel).

For further information, contact:

	Ana Maria de Alvare'
	Computer Incident Advisory Capability
	Lawrence Livermore National Laboratory
	P.O. Box 808, L-303
	Livermore, CA  94550
	(415) 422-7007 or (FTS) 532-7007
	anamaria@lll-lcc.llnl.gov


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH