Hello,
1. Security bug CDE (I don't know if it's Digital Unix 4.0D specific, but
probably is - I had no problem under 4.0B)
There's at least one security bug in CDE which shows up when the system
in ENHANCED security mode *AND* modified /etc/sia/matrix.conf file
*AND* uses improperly configured /etc/auth/system/ttys and devassign
files (default settings in 4.0D). If running BASE security, see below.
When user tries to login through CDE login window from remote terminal,
he fills in username, password can leave blank. Under those
special circumstances this user get's warning on the terminal:
"Cannot obtain database information on this terminal" right after he
Right after that he get's into failsafe login session, receives xterm.
His login UID is -1, thus he can use utilities using SIA module as a root.
However, his UID and GID are preserved, thus he can't get unpriveleged
access over file/dir permissions. However, he *CAN* change any password,
can change shell etc. But he the malicious user enters root username at
the login prompt, again without a password, he again get's failsafe
session with all root rights.
The bug was reported to DEC oficially this Monday.
---------
For me was a temporary solution to add to /etc/auth/system/ttys file:
*\:*:t_devname=*\:*:t_login_timeout#0:t_xdisplay:chkent:
The above line was missing in default configuration.
Check, that you have in devassign:
*\:*:v_devs=*\:*:v_type=xdisplay:chkent:
These two lines made me sure, that no-one will get the message:
"Cannot obtain database information...."
---------
Under ENHANCED security with __unmodified__ matrix.conf file, users on
X-terminals got the message "Cannot obtain database information...."
whenever they connected to the server *BEFORE* they actually got CDE login
window. Thus, they never had a change to enter any username without a
password and thus to gain acces into system.
The bug is probably(don't know) exploitable still, but not so easilly.
Under BASE security I have no idea what happens.
This bug I discovered, because I have modified matrix.conf file to support
Kerberos authorization in Digital Unix. THIS IS NOT (_DEFINITELY_) BUG IN
KERBEROS. I RECOMMEND ALL SYSADMINS OF SERVERS WITH KERBEROS SIA MODULE
INSERTED INTO matrix.conf file TO TAKE THIS ADVISE, and to:
a) modify ttys and devassign files
b) or to use default matrix.conf using ONLY Digital's libraries. In my
case, using unmodified matrix.file was a solution.
===========================================================================
2. convauth utility UPGRADES hashed databases (*.db).
When you run convauth -dv -dt -v to recreate ttys.db and devassign.db,
the utility seems to me - adds new entries to database. So does not remove
the old ones, which are probably not already present in the textual
version file. So it does not behave like
rm ttys.db;convauth -dt -v
What would IMHO properly update the database. If Security bug described
in paragraph 1., I reccomend to manually remove those .db files first
prior to running convauth utility.
I don't know if is it a bug or feature...-to me seems to be a bug.
===========================================================================
3. Another bug in CDE was reported to BUGTRAQ list
/usr/dt/bin/dtappgather is an SUID program, which can be used to change
owner of some file to you. Thus one can potentially become an owner of
/etc/passwd or even of protected database files.
----------
Because I don't use dtappgather and even don't know for it does, I removed
SUID bit. The exploit does not for me when SUID bit is removed.
This seems to be general bug in CDE - reported as a bug on Sun computers,
if I remeber...... This bug is probably also on previous versions of
Digital Unix.
==========================================================================
4. There's a bug in verification procedure in Networker 4.4.
Running `setld -v BRXSOAKIT440` gives:
************ Verifying BRXSOAKIT440 ***********
./usr/opt/BRX440/CLUSTER_SVR/NetWorker.start: cannot stat (No such file or directory)
./usr/opt/BRX440/CLUSTER_SVR/NetWorker.stop: cannot stat (No such file or directory)
2 verification errors encountered.
0 corrections performed.
************ Verification Completed *************
===========================================================================
5. This is probably not a bug, but.... (present in 4.4, 4.3)
When networker does not find media index database, it crashes with this useless error:
hostname# nwrecover: SYSTEM error, No such file or directory
[1]+ Exit 1 nwrecover
hostname#
This problem disappeared after I receverd media indexes with
`scanner -i -b <pool> /dev/nrmt0h', thus I hope I just did not find the
index database. I hope networker should write some more usable error
message.
===========================================================================
6. Errors produced/recevered during installation process
after analyzing the logfile created by installation process (not
installupdate), I found:
SUBSET PMGRUTIL211 at /:
fverify5236 (1) begin logging at Mon Nov 11 12:44:22 1996
./var/opt/pm/PAscripts: permissions rwxr-xr-x should be rwxr-x---
./var/opt/pm/PAscripts corrected.
./var/opt/pm/PAscripts/.control: permissions rwxr-xr-x should be rwxr-x---
./var/opt/pm/PAscripts/.control corrected.
./var/opt/pm/SMscripts: permissions rwxr-xr-x should be rwxr-x---
./var/opt/pm/SMscripts corrected.
./var/opt/pm/SMscripts/.control: permissions rwxr-xr-x should be rwxr-x---
./var/opt/pm/SMscripts/.control corrected.
4 verification errors encountered.
4 corrections performed.
fverify5236 end logging at Mon Nov 11 12:44:22 1996
SUBSET IOSWWBASE405 at /:
fverify8678 (1) begin logging at Mon Nov 11 12:53:41 1996
Creating directory ./usr/i18n/ccs
Creating directory ./usr/i18n/ccs/lib
Creating directory ./usr/i18n/include
Creating directory ./usr/i18n/lib/nls/msg
Creating directory ./usr/i18n/share
Creating directory ./usr/i18n/share/lib
Creating directory ./usr/i18n/share/lib/psfont
Creating directory ./usr/i18n/share/phrdb
0 verification errors encountered.
0 corrections performed.
fverify8678 end logging at Mon Nov 11 12:53:41 1996
SUBSET SVEENV400 at /:
fverify29093 (1) begin logging at Mon Nov 11 13:56:06 1996
./usr/opt/svr4/usr/opt: gid 0 should be 16
./usr/opt/svr4/usr/opt corrected.
./usr/opt/svr4/usr/opt: permissions rwxr-xr-x should be rwxrwxr-x
./usr/opt/svr4/usr/opt corrected.
Creating directory ./var/opt/svr4
Creating directory ./var/opt/svr4/adm
Creating directory ./var/opt/svr4/sve
2 verification errors encountered.
2 corrections performed.
fverify29093 end logging at Mon Nov 11 13:56:06 1996
SUBSET SVEBCP400 at /:
fverify1664 (1) begin logging at Mon Nov 11 13:58:45 1996
./opt: gid 0 should be 16
./opt corrected.
./opt/svr4/etc: gid 0 should be 16
./opt/svr4/etc corrected.
./opt/svr4/sbin: gid 0 should be 16
./opt/svr4/sbin corrected.
./opt/svr4/sbin/init.d: gid 0 should be 16
./opt/svr4/sbin/init.d corrected.
./usr/opt/svr4/dev: gid 0 should be 16
./usr/opt/svr4/dev corrected.
./usr/opt/svr4/dev: permissions rwxr-xr-x should be rwxrwxr-x
./usr/opt/svr4/dev corrected.
./usr/opt/svr4/etc: gid 0 should be 16
./usr/opt/svr4/etc corrected.
./usr/opt/svr4/etc/fs: gid 0 should be 16
./usr/opt/svr4/etc/fs corrected.
./usr/opt/svr4/etc/fs/ufs: gid 0 should be 16
./usr/opt/svr4/etc/fs/ufs corrected.
./usr/opt/svr4/sbin: gid 0 should be 16
./usr/opt/svr4/sbin corrected.
./usr/opt/svr4/sbin/init.d: gid 0 should be 16
./usr/opt/svr4/sbin/init.d corrected.
./usr/opt/svr4/usr: gid 0 should be 16
./usr/opt/svr4/usr corrected.
./usr/opt/svr4/usr/bin: gid 0 should be 16
./usr/opt/svr4/usr/bin corrected.
./usr/opt/svr4/usr/lib: gid 0 should be 16
./usr/opt/svr4/usr/lib corrected.
./usr/opt/svr4/usr/lib/fs: gid 0 should be 16
./usr/opt/svr4/usr/lib/fs corrected.
./usr/opt/svr4/usr/lib/fs/ufs: gid 0 should be 16
./usr/opt/svr4/usr/lib/fs/ufs corrected.
./usr/opt/svr4/usr/lib/iconv: gid 0 should be 16
./usr/opt/svr4/usr/lib/iconv corrected.
./usr/opt/svr4/usr/sbin: gid 0 should be 16
./usr/opt/svr4/usr/sbin corrected.
./usr/opt/svr4/usr/share: gid 0 should be 16
./usr/opt/svr4/usr/share corrected.
./usr/opt/svr4/usr/share/lib: gid 0 should be 16
./usr/opt/svr4/usr/share/lib corrected.
./usr/opt/svr4/usr/share/lib/terminfo: gid 0 should be 16
./usr/opt/svr4/usr/share/lib/terminfo corrected.
Creating directory ./usr/opt/svr4/usr/sadm
Creating directory ./usr/opt/svr4/usr/ucb
Creating directory ./var/opt/svr4/sadm
Creating directory ./var/opt/svr4/sadm/bkup
Creating directory ./var/opt/svr4/sadm/bkup/logs
Creating directory ./var/opt/svr4/sadm/bkup/toc
Creating directory ./var/opt/svr4/spool
21 verification errors encountered.
21 corrections performed.
fverify1664 end logging at Mon Nov 11 13:58:46 1996
SUBSET SVEADM400 at /:
fverify7063 (1) begin logging at Mon Nov 11 14:02:08 1996
./usr/opt/svr4/dt: gid 0 should be 16
./usr/opt/svr4/dt corrected.
./usr/opt/svr4/dt: permissions rwxr-xr-x should be rwxrwxr-x
./usr/opt/svr4/dt corrected.
./usr/opt/svr4/dt/appconfig: gid 0 should be 16
./usr/opt/svr4/dt/appconfig corrected.
./usr/opt/svr4/dt/appconfig: permissions rwxr-xr-x should be rwxrwxr-x
./usr/opt/svr4/dt/appconfig corrected.
./usr/opt/svr4/dt/appconfig/appmanager: gid 0 should be 16
./usr/opt/svr4/dt/appconfig/appmanager corrected.
./usr/opt/svr4/dt/appconfig/appmanager/C: gid 0 should be 16
./usr/opt/svr4/dt/appconfig/appmanager/C corrected.
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin: gid 0 should be 16
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin corrected.
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/Configuration: gid 0
should be 16
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/Configuration
corrected.
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/Configuration:
permissions rwxr-xr-x should be rwxrwxrwx
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/Configuration
corrected.
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/DailyAdmin: gid 0
should be 16
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/DailyAdmin
corrected.
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/DailyAdmin:
permissions rwxr-xr-x should be rwxrwxrwx
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/DailyAdmin
corrected.
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/MonitoringTuning:
gid 0 should be 16
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/MonitoringTuning
corrected.
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/MonitoringTuning:
permissions rwxr-xr-x should be rwxrwxrwx
./usr/opt/svr4/dt/appconfig/appmanager/C/System_Admin/MonitoringTuning
corrected.
./usr/opt/svr4/dt/appconfig/types: gid 0 should be 16
./usr/opt/svr4/dt/appconfig/types corrected.
./usr/opt/svr4/dt/appconfig/types: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/dt/appconfig/types corrected.
./usr/opt/svr4/dt/appconfig/types/C: gid 0 should be 16
./usr/opt/svr4/dt/appconfig/types/C corrected.
./usr/opt/svr4/dt/appconfig/types/C: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/dt/appconfig/types/C corrected.
./var/opt/svr4/save: gid 0 should be 16
./var/opt/svr4/save corrected.
./var/opt/svr4/save: permissions rwxr-xr-x should be rwxrwxr-x
./var/opt/svr4/save corrected.
./var/opt/svr4/save/etc: gid 0 should be 16
./var/opt/svr4/save/etc corrected.
./var/opt/svr4/save/etc: permissions rwxr-xr-x should be rwxrwxr-x
./var/opt/svr4/save/etc corrected.
Creating directory ./usr/opt/svr4/dt/appconfig/icons
Creating directory ./usr/opt/svr4/dt/appconfig/icons/C
Creating directory ./var/opt/svr4/adm/sa
Creating directory ./var/opt/svr4/saf
Creating directory ./var/opt/svr4/spool/locks
21 verification errors encountered.
21 corrections performed.
fverify7063 end logging at Mon Nov 11 14:02:26 1996
SUBSET SVEDEV400 at /:
fverify11844 (1) begin logging at Mon Nov 11 14:05:15 1996
./usr/opt/svr4/usr/ccs/lib/cmplrs: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/usr/ccs/lib/cmplrs corrected.
./usr/opt/svr4/usr/ccs/lib/cmplrs/cc: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/usr/ccs/lib/cmplrs/cc corrected.
./usr/opt/svr4/usr/include/dec: permissions rwxr-xr-x should be rwxrwxr-x
./usr/opt/svr4/usr/include/dec corrected.
./usr/opt/svr4/usr/include/svr4: permissions rwxr-xr-x should be rwxrwxr-x
./usr/opt/svr4/usr/include/svr4 corrected.
./usr/opt/svr4/usr/shlib: gid 0 should be 16
./usr/opt/svr4/usr/shlib corrected.
Creating directory ./usr/opt/svr4/usr/include/svr4/sys
Creating directory ./var/opt/svr4/spool/pkg
5 verification errors encountered.
5 corrections performed.
fverify11844 end logging at Mon Nov 11 14:05:17 1996
SUBSET SVEMAN400 at /:
fverify17808 (1) begin logging at Mon Nov 11 14:08:04 1996
./usr/opt/svr4/usr/share/lib/tmac: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/usr/share/lib/tmac corrected.
./usr/opt/svr4/usr/share/man: permissions rwxr-xr-x should be rwxrwxr-x
./usr/opt/svr4/usr/share/man corrected.
./usr/opt/svr4/usr/share/man/man1: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/usr/share/man/man1 corrected.
./usr/opt/svr4/usr/share/man/man2: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/usr/share/man/man2 corrected.
./usr/opt/svr4/usr/share/man/man3: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/usr/share/man/man3 corrected.
./usr/opt/svr4/usr/share/man/man4: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/usr/share/man/man4 corrected.
./usr/opt/svr4/usr/share/man/man5: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/usr/share/man/man5 corrected.
./usr/opt/svr4/usr/share/man/man7: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/usr/share/man/man7 corrected.
./usr/opt/svr4/usr/share/man/man8: permissions rwxr-xr-x should be
rwxrwxr-x
./usr/opt/svr4/usr/share/man/man8 corrected.
9 verification errors encountered.
9 corrections performed.
fverify17808 end logging at Mon Nov 11 14:08:08 1996
SUBSET AFAADVDAEMON401 at /:
fverify22654 (1) begin logging at Mon Nov 11 14:48:36 1996
./usr/opt/advfsd: permissions rwxr-xr-x should be r-x------
./usr/opt/advfsd corrected.
./usr/opt/advfsd/etc: permissions rwxr-xr-x should be r-x------
./usr/opt/advfsd/etc corrected.
./usr/opt/advfsd/etc/srconf: permissions rwxr-xr-x should be r-x------
./usr/opt/advfsd/etc/srconf corrected.
./usr/opt/advfsd/etc/srconf/agt: permissions rwxr-xr-x should be r-x------
./usr/opt/advfsd/etc/srconf/agt corrected.
./usr/opt/advfsd/etc/srconf/mgr: permissions rwxr-xr-x should be r-x------
./usr/opt/advfsd/etc/srconf/mgr corrected.
./usr/opt/advfsd/scripts: permissions rwxr-xr-x should be r-x------
./usr/opt/advfsd/scripts corrected.
Creating directory ./var/opt/advfsd
Creating directory ./var/opt/advfsd/logs
Creating directory ./var/opt/advfsd/socket
6 verification errors encountered.
6 corrections performed.
fverify22654 end logging at Mon Nov 11 14:48:36 1996
SUBSET MMERT220 at /:
fverify2185 (1) begin logging at Wed Jul 30 08:37:13 1997
./opt/MME220: gid 16 should be 0
./opt/MME220 corrected.
./opt/MME220/sbin: gid 16 should be 0
./opt/MME220/sbin corrected.
./opt/MME220/sbin/init.d: gid 16 should be 0
./opt/MME220/sbin/init.d corrected.
Creating directory ./usr/opt/MME220/ascii_docs
Creating directory ./usr/opt/MME220/book_docs
Creating directory ./usr/opt/MME220/ps_docs
3 verification errors encountered.
3 corrections performed.
fverify2185 end logging at Wed Jul 30 08:37:14 1997
/usr/lbin/fverify6666 (0) begin logging at Fri Feb 20 04:03:36 1998
./usr/opt/BRX440/CLUSTER_SVR/NetWorker.start: cannot stat (No such file or
directory)
./usr/opt/BRX440/CLUSTER_SVR/NetWorker.stop: cannot stat (No such file or
directory)
2 verification errors encountered.
0 corrections performed.
/usr/lbin/fverify6666 end logging at Fri Feb 20 04:03:45 1998
/usr/lbin/fverify6707 (0) begin logging at Fri Feb 20 04:04:29 1998
0 verification errors encountered.
0 corrections performed.
/usr/lbin/fverify6707 end logging at Fri Feb 20 04:04:33 1998
SUBSET BRXSOAKIT440 at /:
fverify7560 (1) begin logging at Fri Feb 20 04:06:50 1998
0 verification errors encountered.
0 corrections performed.
fverify7560 end logging at Fri Feb 20 04:06:59 1998
/usr/lbin/fverify8313 (0) begin logging at Fri Feb 20 04:08:14 1998
./usr/opt/BRX440/CLUSTER_SVR/NetWorker.start: cannot stat (No such file or
directory)
./usr/opt/BRX440/CLUSTER_SVR/NetWorker.stop: cannot stat (No such file or
directory)
2 verification errors encountered.
0 corrections performed.
/usr/lbin/fverify8313 end logging at Fri Feb 20 04:08:22 1998
-------------------------------------------------------------------------
| Martin MOKREJS - Net&SysAdmin |
| PGP 5.0i key at: finger://mail.natur.cuni.cz/mmokrejs |
| mmokrejs_at_natur.cuni.cz Faculty of Science, The Charles University |
| tel.: +420-2-2195 2315 Albertov 6, PRAGUE 2, 128 43, Czech Republic |
-------------------------------------------------------------------------
Received on Thu Feb 26 1998 - 20:07:59 NZDT