TUCoPS :: SunOS/Solaris :: ciacb14.txt

SunOS Additional Information about UNIX Security Problem with /bin/mail in SunOS 

        _____________________________________________________

             The Computer Incident Advisory Capability

                         ___  __ __    _     ___

                        /       |     / \   /

                        \___  __|__  /___\  \___

        _____________________________________________________

                         Information Bulletin       

                                   

February 22, 1991, 1300 PST                                     Number B-14



Additional Information about UNIX Security Problem with /bin/mail in SunOS



Sun Microsystems has released additional information about the security

problem with /bin/mail described in CIAC Bulletin B-13. There are

significant changes to the patch installation procedure. The new patch

installation procedure is:

________________________________________________________________________



Patch ID: 100224-01

BugIDs fixed by this patch: 1045636 and 1047340

Availability: Anonymous FTP from ftp.uu.net:/sun-dist/100224-01.tar.Z

              Checksum of the compressed tarfile 

              100224-01.tar.Z = 64102   109 

Patches Obsoleted: 100161-01 

Obsoleted by: SysV Release 4



Patch installation instructions are as follows:



              (Login as root - you must have root access to apply this patch!)

              (Create a temporary directory and "cd" to it)

              (Use anonymous FTP to obtain the file sun-dist/100224-01.tar.Z

               from ftp.uu.net)

              # uncompress 100224-01.tar

              # tar xvf 100224-01.tar

              # mv /bin/mail to /bin/mail.old

  NEW -->     # chmod 400 /bin/mail.old

              # cp $arch/$os/mail to /bin/mail

                 (where $arch is either sun3 sun4 sun4c or sun3x)

                 (and where $os is either 4.0.3 4.1 or 4.1.1)

              (change the permissions for the newly installed mail binary)

  UPDATED --> # chmod 4711 /bin/mail

                 (Sun actually recommends setting the permissions to 4111,

                  but CIAC considers 4711 a wiser choice.)

  NEW -->     # ls -l /bin/mail

              (Verify that /bin/mail is owned by "root" and the file

               permissions are correct.)

              (You will probably wish to delete the 100224-01.tar file and 

               the files created by "de-tar-ing" 100224-01.tar at this time!)

________________________________________________________________________





CIAC recommends that you delete /bin/mail.old altogether after

verifying that the new version of /bin/mail just installed is

functioning correctly.  If you take this course of action, you should

first make a backup copy of /bin/mail.old and store it off-line.



For your information, we have included the Sun addendum below:

________________________________________________________________________



This is an addendum to the Security bulletin (#00105) that went out

recently.  Two points were brought to Sun's attention by the security

community.



First point:  It is not advisable to leave the old version of /bin/mail

around as this version can be exploited. After first verifying that the

new version was not mangled in the transfer, either remove the old

version (/bin/mail.old) or change the permissions to 100.  example:

chmod 100 /bin/mail.old



Second point:  The permissions on the new version of /bin/mail do not

have to be set to 4755 as they come on the installation tape. setting

the mode to 4111 allows /bin/mail to work, but keeps people from

reading the binary (with strings)



Special Thanks to Gordon O'Connor and Hal Brand for pointing out these

flaws in the posting.



Brad Powell

Sun Microsystems

________________________________________________________________________



For additional information or assistance contact:



        Hal R. Brand

        (415) 422-6312 or (FTS) 532-6312



        During working hours, call CIAC at (415) 422-8193 or (FTS)

        532-8193.  For non-working hour emergencies , call (415)

        422-7222 or (FTS) 532-7222 and ask for CIAC (this is a new

        emergency number).



        send e-mail to ciac@cheetah.llnl.gov (this is a new Internet 

        address)



        send FAX messages to:  (415) 423-0913 or (FTS) 543-0913



Joe Ilacqua and Sun Microsystems provided information contained in this

bulletin.  Neither the United States Government nor the University of

California nor any of their employees, makes any warranty,  expressed

or implied, or assumes any legal liability or responsibility for the

accuracy, completeness, or usefulness of any information, product, or

process disclosed, or represents that its use would not infringe

privately owned rights.  Reference herein to any specific commercial

products, process, or service by trade name, trademark manufacturer, or

otherwise, does not necessarily constitute or imply its endorsement,

recommendation, or favoring by the United States Government or the

University of California.  The views and opinions of authors expressed

herein do not necessarily state or reflect those of the United States

Government nor the University of California, and shall not be used for

advertising or product endorsement purposes.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH