I'm running V1.2.1/v1.1.1 on 3.2c and all my persmissions
are already set as suggested as well as owner/groups.
Might this be something specific to his version #?
George Gallen
ggallen_at_slackinc.com
-----Original Message-----
From: Richard L Jackson Jr [mailto:rjackson_at_osf1.gmu.edu]
Sent: Friday, September 04, 1998 10:31 AM
To: alpha-osf-managers_at_ornl.gov
Subject: SWXCR123 and SWXCRMGR120 Security Vulnerability
FYI,
I have discovered and reported to Compaq a security vulnerability with
the following products;
SWXCR123 StorageWorks SWXCR Utility for Digital UNIX
V1.2.3
SWXCRMGR120 StorageWorks RAID Array 200 Management Utility
V1.2.0
These products are on floppy StorageWorks RAID Array 200 RAID Management
Utility Alpha Digital UNIX V2.4, part number AK-Q6TEH-CA and part of the
SWK RD 230+ Mul Lic/RX23 PKG 1.1, part number QB-57UAA-SA, kit.
The problem is the product installs with 1315 uid and group users (gid
15) with group write permissions. Note that the utility is invoked
with root permissions. So, uid 1315 or anyone with group users access
can gain root access.
Normally, I would not announce anything of this nature but my
understanding is the Digital team that supported the product are no
longer available. So, it is not know at this time if and when an
update release will be forth coming.
The workaround is to fix the ownership, group and permissions;
chmod -R g-w /usr/opt/swxcr
chmod -R g-w /usr/opt/swxcrmgr
chown -R root:system /usr/opt/swxcr
chown -R root:system /usr/opt/swxcrmgr
Use command 'setld -i|fgrep SWXCR' to determine if you have the product
installed. The kit came with the KZPAC 3-port PCI RAID Controller
we ordered. The kit is also valid with KZPSC and KZESC controllers.
--
Regards,
Richard Jackson
Computer Center Lead Engineer
Mgr, Central Systems & Dept. UNIX Consulting
University Computing & Information Systems (UCIS)
George Mason University, Fairfax, Virginia
Received on Fri Sep 04 1998 - 14:39:23 NZST