From: <Saved by Microsoft Internet Explorer 5>
Subject: Solaris 8 Setuid/Setgid files
Date: Wed, 14 Nov 2001 08:37:09 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
	boundary="----=_NextPart_000_0036_01C16CE7.8C9C8E40";
	type="text/html"
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200

This is a multi-part message in MIME format.

------=_NextPart_000_0036_01C16CE7.8C9C8E40
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://ist.uwaterloo.ca/security/howto/2000-08-17.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- $Id: Solaris8_setuid.html,v 1.13 2001/03/12 21:50:39 reggers Exp $ =
--><HTML><HEAD><TITLE>Solaris 8 Setuid/Setgid files</TITLE>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type>
<META content=3D"Solaris security setuid setgid" name=3Dkeywords><LINK=20
href=3D"mailto:reggers@ist.uwaterloo.ca" rev=3Dmade>
<META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR></HEAD>
<BODY =
background=3Dhttp://ist.uwaterloo.ca/security/howto/images/back.jpg>
<HR>

<TABLE width=3D"100%">
  <TBODY>
  <TR>
    <TD align=3Dleft>
      <H3>Security Review: Solaris 8 Setuid/Setgid Files <BR>Information =
Systems=20
      and Technology <BR>University of Waterloo</H3><EM>09-Nov-2000</EM> =

</EM></TD>
    <TD align=3Dright><A href=3D"http://ist.uwaterloo.ca/"><IMG =
alt=3D[IST] border=3D0=20
      height=3D75 src=3D"http://ist.uwaterloo.ca/ISTlogo.gif" =
width=3D75></A>=20
  </TD></TR></TBODY></TABLE>
<HR>

<H3>Synopsis</H3>
<BLOCKQUOTE>This paper is a brief update to the review we did on <A=20
  =
href=3D"http://ist.uwaterloo.ca/security/howto/Solaris7_setuid.html">Sola=
ris 7=20
  Setuid/Setgid Files</A> (29-Jun-1999). Solaris 8 (also known as SunOS =
5.8) is=20
  very similar to Solaris 7 (also known as SunOS 5.7) with a few minor=20
  exceptions. We'll skip any discussion of the files which are common to =
the two=20
  systems (you should read the Solaris 7 paper) and describe only the=20
  differences. Our previous recommendations still stand for the =
setuid/setgid=20
  files common to Solaris 7 and 8.=20
  <BLOCKQUOTE><B>Caution:</B> the list of setuid/setgid files we found =
on our=20
    system may not correspond to what you find on your system -- it's =
only a=20
    point in time sample on one machine. The recommendations we've made =
are=20
    suitable for <EM>medium grade security</EM> requirements. It is =
possible to=20
    lock a system down very tightly -- see for example <A=20
    =
href=3D"http://www.theorygroup.com/Archive/YASSP/2000/msg00548.html">Warr=
en=20
    Belfer</A> (11-Aug-2000). </BLOCKQUOTE>
  <P>A <A=20
  =
href=3D"http://ist.uwaterloo.ca/security/howto/Solaris8_setuid.sh">Bourne=
 Shell=20
  script</A> to implement the recommendations made here is available =
(suitable=20
  for systems at UW and perhaps elsewhere) -- it can be edited to =
implement your=20
  choices. </P></BLOCKQUOTE>
<HR align=3Dcenter width=3D"90%">

<H3>Baseline</H3>
<BLOCKQUOTE>The Solaris 8 system we reviewed and the list of =
setuid/setgid=20
  files we found where as follows:=20
  <BLOCKQUOTE><PRE>Script started on Thu Aug 17 11:34:02 2000
[11:34am sun580] <B>uname -a </B>
SunOS sun580 5.8 Generic sun4u sparc SUNW,Ultra-5_10
[11:34am sun580] <B>awk '/ f none [246]/ {print}' =
/var/sadm/install/contents</B>
/etc/lp/alerts/printer f none 4555 lp lp 203 15969 945382884 SUNWlpmsg
/opt/SUNWspro/contrib/XEmacs20.4/lib/xemacs-20.4/sparc-sun-solaris2.5.1/m=
ovemail f none 2755 bin mail 13512 23933 913761148 SPROxmbin
/usr/bin/admintool f none 4511 root sys 341204 29025 947882627 SUNWadmap
/usr/bin/at f none 4755 root sys 36320 13542 947116469 SUNWcsu
/usr/bin/atq f none 4755 root sys 13796 39936 947116470 SUNWcsu
/usr/bin/atrm f none 4755 root sys 12756 31695 947116470 SUNWcsu
/usr/bin/cancel f none 4511 root lp 9736 23058 947116877 SUNWpcu
/usr/bin/chkey f none 4555 root sys 41708 46859 947116686 SUNWnisu
/usr/bin/crontab f none 4555 root bin 17136 40921 947116470 SUNWcsu
/usr/bin/ct f none 4111 root uucp 69784 37186 947116659 SUNWbnuu
/usr/bin/cu f none 4111 uucp uucp 83740 24096 947116673 SUNWbnuu
/usr/bin/eject f none 4555 root bin 13808 15887 947118400 SUNWcsu
/usr/bin/fdformat f none 4555 root bin 26372 49041 947116452 SUNWcsu
/usr/bin/login f none 4555 root bin 29292 59075 947116643 SUNWcsu
/usr/bin/lp f none 4511 root lp 22500 25594 955117207 SUNWpcu
/usr/bin/lpset f none 4511 root lp 7116 54809 947116827 SUNWpcu
/usr/bin/lpstat f none 4511 root lp 21592 1317 947116867 SUNWpcu
/usr/bin/mail f none 2511 root mail 61288 50965 947116674 SUNWcsu
/usr/bin/mailx f none 2511 root mail 126808 30865 947116848 SUNWcsu
/usr/bin/netstat f none 2555 root sys 55168 21029 947116860 SUNWcsu
/usr/bin/newgrp f none 4755 root sys 7328 37117 947116725 SUNWcsu
/usr/bin/passwd f none 6555 root sys 101744 17766 947116784 SUNWcsu
/usr/bin/pfexec f none 4555 root bin 6508 15149 947116796 SUNWcsu
/usr/bin/rcp f none 4555 root bin 21008 46516 947116847 SUNWcsu
/usr/bin/rdist f none 4555 root bin 55480 2951 947116862 SUNWcsu
/usr/bin/rlogin f none 4555 root bin 16012 22907 947116848 SUNWcsu
/usr/bin/rsh f none 4555 root bin 8964 44609 947116849 SUNWcsu
/usr/bin/sparcv7/ipcs f none 2555 root sys 10740 24101 947116577 SUNWipc
/usr/bin/sparcv7/ps f none 4555 root sys 27752 13090 947116855 SUNWcsu
/usr/bin/sparcv7/uptime f none 4555 root bin 11368 18254 947118347 =
SUNWcsu
/usr/bin/sparcv9/ipcs f none 2555 root sys 15280 38703 947116613 =
SUNWipcx
/usr/bin/sparcv9/ps f none 4555 root sys 36520 46480 947116883 SUNWcsxu
/usr/bin/sparcv9/uptime f none 4555 root bin 15392 12481 947118363 =
SUNWcsxu
/usr/bin/su f none 4555 root sys 17156 18585 947116989 SUNWcsu
/usr/bin/tip f none 4511 uucp bin 55228 34692 947117116 SUNWcsu
/usr/bin/uucp f none 4111 uucp uucp 66940 19365 947116529 SUNWbnuu
/usr/bin/uuglist f none 4111 uucp uucp 22500 1281 947116540 SUNWbnuu
/usr/bin/uuname f none 4111 uucp uucp 19568 48864 947116551 SUNWbnuu
/usr/bin/uustat f none 4111 uucp uucp 61832 47952 947116576 SUNWbnuu
/usr/bin/uux f none 4111 uucp uucp 70852 38527 947116599 SUNWbnuu
/usr/bin/volcheck f none 4555 root bin 5980 54244 947118400 SUNWvolu
/usr/bin/volrmmount f none 4555 root bin 10780 34826 947118400 SUNWvolu
/usr/bin/write f none 2555 root tty 11344 52327 947118343 SUNWcsu
/usr/dt/bin/dtaction f none 6555 root sys 22808 25926 944116689 =
SUNWdtbas
/usr/dt/bin/dtappgather f none 4555 root bin 34036 23313 944119013 =
SUNWdtdte
/usr/dt/bin/dtmail f none 2555 bin mail 1492864 46045 944121774 =
SUNWdtdst
/usr/dt/bin/dtmailpr f none 2555 bin mail 458004 62889 944121786 =
SUNWdtdst
/usr/dt/bin/dtprintinfo f none 4555 root bin 357228 13850 944120546 =
SUNWdtdst
/usr/dt/bin/dtsession f none 4555 root bin 164224 2740 944156363 =
SUNWdtwm
/usr/dt/bin/sdtcm_convert f none 6555 root daemon 304176 60120 944118943 =
SUNWdtdmn
/usr/lib/acct/accton f none 4755 root adm 5040 60848 947116317 SUNWaccu
/usr/lib/fbconfig/SUNWifb_config f none 4555 root bin 99740 25218 =
944854900 SUNWifbcf
/usr/lib/fs/ufs/quota f none 4555 root bin 13840 12392 947116826 SUNWcsu
/usr/lib/fs/ufs/ufsdump f none 4555 root bin 82484 36819 947116540 =
SUNWcsu
/usr/lib/fs/ufs/ufsrestore f none 4555 root bin 901204 45373 947116661 =
SUNWcsu
/usr/lib/lp/bin/netpr f none 4511 root bin 19620 15476 955117226 SUNWpsu
/usr/lib/pt_chmod f none 4111 root bin 4104 3778 947116854 SUNWcsu
/usr/lib/sendmail f none 4555 root bin 658616 55541 947116988 SUNWsndmu
/usr/lib/utmp_update f none 4555 root bin 7068 60409 947117172 SUNWcsu
/usr/lib/uucp/remote.unknown f none 4111 uucp uucp 5964 49215 947116732 =
SUNWbnuu
/usr/lib/uucp/uucico f none 4111 uucp uucp 166268 6445 947116855 =
SUNWbnuu
/usr/lib/uucp/uusched f none 4111 uucp uucp 33436 60100 947116758 =
SUNWbnuu
/usr/lib/uucp/uuxqt f none 4111 uucp uucp 82760 20856 947116876 SUNWbnuu
/usr/openwin/bin/Xsun f none 2755 root root 1941644 50450 945299632 =
SUNWxwplt
/usr/openwin/bin/ff.core f none 6555 root bin 18144 34372 944701225 =
SUNWoldst
/usr/openwin/bin/kcms_calibrate f none 6755 root bin 89792 30381 =
942279681 SUNWkcspg
/usr/openwin/bin/kcms_configure f none 6755 root bin 24292 42591 =
942279643 SUNWkcsrt
/usr/openwin/bin/mailtool f none 2555 root mail 637516 56657 944701580 =
SUNWoldst
/usr/openwin/bin/sparcv9/kcms_configure f none 6755 root bin 31952 45773 =
942273275 SUNWkcsrx
/usr/openwin/bin/sys-suspend f none 4755 root bin 44452 6322 942282798 =
SUNWpmowu
/usr/openwin/bin/xlock f none 4775 root bin 68860 43780 945300248 =
SUNWxwplt
/usr/openwin/lib/mkcookie f none 4755 root bin 27620 24111 945299729 =
SUNWxwplt
/usr/platform/sun4u/sbin/eeprom f none 2555 root sys 11376 38891 =
947116438 SUNWkvm
/usr/platform/sun4u/sbin/prtdiag f none 2755 root sys 4512 22503 =
947118367 SUNWkvm
/usr/sbin/afbconfig f none 4555 root bin 61508 19299 944695277 SUNWafbcf
/usr/sbin/allocate f none 4755 root bin 17616 53173 947118389 SUNWcsu
/usr/sbin/aspppls f none 4555 root bin 5584 20920 947116576 SUNWapppu
/usr/sbin/ffbconfig f none 4555 root bin 58980 12585 944695292 SUNWffbcf
/usr/sbin/igsconfig f none 4555 root bin 37260 36326 941496138 SUNWigsu
/usr/sbin/lpmove f none 4511 root lp 6868 16863 947116882 SUNWpcu
/usr/sbin/m64config f none 4555 root bin 28388 54466 944595359 SUNWm64cf
/usr/sbin/mkdevalloc f none 4755 root bin 9800 55620 947118389 SUNWcsu
/usr/sbin/mkdevmaps f none 4755 root bin 9948 50881 947118389 SUNWcsu
/usr/sbin/pgxconfig f none 4555 root bin 102904 64555 929538945 TSIpgxw
/usr/sbin/ping f none 4555 root bin 48028 22774 947116432 SUNWcsu
/usr/sbin/pmconfig f none 4555 root bin 28956 51944 947116837 SUNWpmu
/usr/sbin/sacadm f none 4755 root sys 22640 34467 947116901 SUNWcsu
/usr/sbin/sparcv7/prtconf f none 2555 root sys 19544 58600 947116840 =
SUNWcsu
/usr/sbin/sparcv7/swap f none 2555 root sys 10316 41822 947116998 =
SUNWcsu
/usr/sbin/sparcv7/sysdef f none 2555 root sys 22656 30408 947117013 =
SUNWcsu
/usr/sbin/sparcv7/whodo f none 4555 root bin 12916 13815 947118347 =
SUNWcsu
/usr/sbin/sparcv9/prtconf f none 2555 root sys 24488 18373 947116858 =
SUNWcsxu
/usr/sbin/sparcv9/swap f none 2555 root sys 13528 20913 947117006 =
SUNWcsxu
/usr/sbin/sparcv9/sysdef f none 2555 root sys 31520 30875 947117034 =
SUNWcsxu
/usr/sbin/sparcv9/whodo f none 4555 root bin 17408 20324 947118363 =
SUNWcsxu
/usr/sbin/static/rcp f none 4555 root bin 762688 41154 947116852 =
SUNWsutl
/usr/sbin/traceroute f none 4555 root bin 35652 19177 947116415 SUNWcsu
/usr/sbin/wall f none 2555 root tty 9872 39608 947118341 SUNWcsu
/usr/ucb/sparcv7/ps f none 4555 root sys 22988 61065 947118751 SUNWscpu
/usr/ucb/sparcv9/ps f none 4555 root sys 31544 33406 947118759 SUNWscpux
/usr/vmsys/bin/chkperm f none 6555 bin bin 9836 4379 947383480 SUNWfac
/usr/xpg4/bin/sparcv7/ipcs f none 2555 root sys 10780 31054 947116578 =
SUNWxcu4
/usr/xpg4/bin/sparcv9/ipcs f none 2555 root sys 15344 31816 947116613 =
SUNWxcu4x
[11:34am sun580] <B>exit</B>
script done on Thu Aug 17 11:34:20 2000
</PRE></BLOCKQUOTE></BLOCKQUOTE>
<HR align=3Dcenter width=3D"90%">

<H3>Setuid/Setgid files missing in Solaris 8</H3>
<BLOCKQUOTE>There are a couple of Setuid/Setgid files we find in =
(current up=20
  to patch) Solaris 7 that we don't find in Solaris 8:=20
  <BLOCKQUOTE><PRE>/usr/platform/sun4m/sbin/eeprom
/usr/sbin/arp
</PRE></BLOCKQUOTE>The <B>eeprom</B> is just an architecture difference =
-- the=20
  Solaris 8 system we used was an Ultra-sparc and the same program is =
found=20
  under the <B>sun4u</B> platform. The <B>arp</B> is nice to see -- Sun =
seems to=20
  have recognized that there's no need for this to be setgid (as per our =

  previous recommendations).=20
  <P>There was one Solaris 7 setgid we had found a year ago that (on =
current up=20
  to patch) Solaris 7 is no longer setgid:=20
  <BLOCKQUOTE><PRE>/usr/sbin/dmesg
</PRE></BLOCKQUOTE>Apparently some patch in the interim has prudently =
dropped=20
  the setgid. Actually it's a much better fix than that! The command =
used to be=20
  setgid so it could do kernel prods. Now it's a simple shell script =
that just=20
  displays information from the syslog files:=20
  <BLOCKQUOTE><PRE>[3:39pm sun580] <B>more /usr/bin/dmesg</B>
#!/usr/bin/sh
#
# Copyright (c) 1998 by Sun Microsystems, Inc.
# All rights reserved.
#
#ident  "@(#)dmesg.sh   1.1     98/09/30 SMI"

/usr/bin/echo
/usr/bin/date
/usr/bin/cat -s `/usr/bin/ls -tr1 /var/adm/messages.? 2&gt;/dev/null` \
        /var/adm/messages | /usr/bin/tail -200
</PRE></BLOCKQUOTE>That's an elegant solution to the problem -- you no =
longer=20
  need to do any kernel prodding! I'm not sure which patch set gave us =
that=20
  version of the tool but I'm certainly happy to see it. </BLOCKQUOTE>
<HR align=3Dcenter width=3D"90%">

<H3>Setuid/Setgid files new in Solaris 8</H3>
<BLOCKQUOTE>There are a few Setuid/Setgid files we found in Solaris 8 =
that we=20
  didn't find in Solaris 7:=20
  <BLOCKQUOTE><PRE>/usr/bin/pfexec
/usr/bin/sparcv9/ipcs
/usr/bin/sparcv9/ps
/usr/bin/sparcv9/uptime
/usr/lib/fbconfig/SUNWifb_config
/usr/openwin/bin/sparcv9/kcms_configure
/usr/platform/sun4u/sbin/eeprom
/usr/platform/sun4u/sbin/prtdiag
/usr/sbin/afbconfig
/usr/sbin/aspppls
/usr/sbin/ffbconfig
/usr/sbin/igsconfig
/usr/sbin/m64config
/usr/sbin/pgxconfig
/usr/sbin/sparcv9/prtconf
/usr/sbin/sparcv9/swap
/usr/sbin/sparcv9/sysdef
/usr/sbin/sparcv9/whodo
/usr/ucb/sparcv9/ps
/usr/xpg4/bin/sparcv7/ipcs
/usr/xpg4/bin/sparcv9/ipcs
</PRE></BLOCKQUOTE>Most of the <B>sparcv9</B> programs under =
<B>/usr/bin</B>,=20
  <B>/usr/sbin</B> and <B>/usr/ucb</B> match with the <B>sparcv7</B> =
versions we=20
  found in Solaris 7 and most of the <B>sun4u</B> platform specific =
programs=20
  match Solaris 7 versions. Again they're mostly just an architectural=20
  difference between the Sparc (32bit) and Ultra-Sparc (64bit) kernels. =
There=20
  are a couple of surprises though -- <B>kcms_configure</B> under the=20
  Open-Windows <B>sparcv9</B> and <B>prtdiag</B> under the <B>sun4u</B> =
platform=20
  are new!=20
  <P>The two versions of <B>ipcs</B> under <B>/usr/xpg4</B> are yet =
another=20
  version of the <B>ipcs</B> program we found on Solaris 7 and the same=20
  recommendations apply. Apparently <B>XPG4</B> is one of the POSIX =
standards=20
  that Solaris implements (see the man page).=20
  <P>Nevertheless there a few new tools we need to evaluate. =
</P></BLOCKQUOTE>
<HR align=3Dcenter width=3D"90%">

<H3>Recommendations</H3>
<BLOCKQUOTE>These recommendations are restricted to just those new files =
we=20
  find in Solaris 8:=20
  <P>
  <OL>
    <LI><TT><B>/usr/bin/pfexec f none 4555 root bin 6508 15149 947116796 =
SUNWcsu=20
    </B></TT>
    <P>This setuid <B>root</B> tool is new to Solaris 8. It's part of =
the=20
    <EM>"Core Solaris, (Usr)"</EM> (SUNWcsu) package. The manual page =
says:=20
    <BLOCKQUOTE>The pfexec program is used to execute commands with the=20
      attributes specified by the user's profiles in the exec_attr(4) =
database.=20
      It is invoked by the profile shells, pfsh, pfcsh, and pfksh which =
are=20
      linked to the Bourne shell, C shell, and Korn shell, respectively. =

      <P>Profiles are searched in the order specified in the user's =
entry in the=20
      user_attr(4) database. If the same command appears in more than =
one=20
      profile, the profile shell uses the first matching entry.=20
    </P></BLOCKQUOTE>This seems to be a facility for granting fine =
grained=20
    access controls to users. Running <B>pfsh</B> or <B>pfcsh</B> seem =
to give=20
    me a useless shell -- probably because the two databases mentioned =
are=20
    trivial. I don't see any usage in any of the startup scripts in=20
    <B>/etc/init.d</B>. I did find a reference at <A=20
    =
href=3D"http://www.securityfocus.com/focus/sun/articles/securing.html">Se=
curityFocus=20
    Inc.</A> where the author recommends that you don't need it.=20
    <P><B>Recommendation:</B> Drop the setuid -- wait until you discover =
an=20
    application that requires this.=20
    <P></P>
    <LI><TT><B>/usr/lib/fbconfig/SUNWifb_config f none 4555 root bin =
99740 25218=20
    944854900 SUNWifbcf </B></TT>
    <P>Another setuid <B>root</B> tool. This is part of the <EM>"Sun =
Expert3D=20
    (IFB) Graphics Configuration Software"</EM> (SUNWifbcf) package. The =
Manual=20
    page says:=20
    <BLOCKQUOTE>SUNWifb_config configures the Sun Expert3D Graphics=20
      Accelerator and some of the X11 window system defaults for the =
graphics=20
      accelerator. </BLOCKQUOTE>On systems that don't have a glass =
console of the=20
    sort supported by this tool there's obviously no need for this. On =
systems=20
    that do have the graphics hardware I have a hard time believing that =
this=20
    tool needs to be run very often (if at all) by anyone other than the =
root=20
    user. Given the history of security problems with similar tools =
(there have=20
    been advisories wrt. the Kodak Color Management System) I can't see =
leaving=20
    this setuid <B>root</B>.=20
    <P><B>Recommendation:</B> Drop the setuid -- if you need to =
configure the=20
    graphics hardware <B>su</B> first.=20
    <P></P>
    <LI><TT><B>/usr/openwin/bin/sparcv9/kcms_configure f none 6755 root =
bin=20
    31952 45773 942273275 SUNWkcsrx </B></TT>
    <P>This one is quite a surprise. There's already a=20
    <B>/usr/openwin/bin/kcms_configure</B> that's setuid so this can't =
be one of=20
    those ISA versions (unless they've inadvertently made an =
<B>isaexec</B> copy=20
    and needlessly marked it setuid). Package information explains =
things:=20
    <BLOCKQUOTE><PRE>[3:45pm sun580] <B>pkginfo SUNWkcsrt</B>
application SUNWkcsrt      KCMS Runtime Environment
[3:46pm sun580] <B>pkginfo SUNWkcsrx</B>
application SUNWkcsrx      KCMS 64 bit Runtime Environment
</PRE></BLOCKQUOTE>I suppose both might be required but would make the =
same=20
    observations -- you don't need this very often and when you do need =
it you=20
    should be <B>root</B>. You don't want arbitrary users mucking with =
this.=20
    Gosh, I seem to recall that you need special diagnostic devices to =
use this=20
    tool anyway.=20
    <P><B>Recommendation:</B> As before, drop the setuid -- if you need =
to=20
    configure the graphics hardware <B>su</B> first.=20
    <P></P>
    <LI><TT><B>/usr/platform/sun4u/sbin/prtdiag f none 2755 root sys =
4512 22503=20
    947118367 SUNWkvm</B></TT>=20
    <P>A setgid <B>sys</B> surprise. The manual page says =
"<B>prtdiag</B>=20
    displays system configuration and diagnostic information on sun4u =
and sun4d=20
    systems." That explains why we didn't see it on Solaris 7 -- we were =

    reviewing a different hardware platform.=20
    <P><B>Recommendation:</B> Drop the setgid -- if you need to use this =
then=20
    <B>su</B> first.=20
    <P></P>
    <LI><TT><B>/usr/sbin/afbconfig f none 4555 root bin 61508 19299 =
944695277=20
    SUNWafbcf </B></TT>
    <P>Another setuid <B>root</B> tool for mucking with graphics =
hardware (the=20
    AFB Graphics Accelerator). This is part of the <EM>"Elite3D Graphics =

    Configuration Software"</EM> (SUNWafbcf) package but I have the same =

    recommendation.=20
    <P><B>Recommendation:</B> Drop the setuid -- if you need to =
configure the=20
    graphics hardware <B>su</B> first.=20
    <P></P>
    <LI><TT><B>/usr/sbin/aspppls f none 4555 root bin 5584 20920 =
947116576=20
    SUNWapppu </B></TT>
    <P>This is part of the <EM>"PPP/IP Asynchronous PPP daemon and PPP =
login=20
    service"</EM> (SUNWapppu) package. And that allows for IP =
connections over=20
    serial lines -- typically modems and the telephone. Certainly not =
required=20
    for anyone on the campus network. This looks like an optional =
package that=20
    should not be installed on servers.=20
    <P><B>Recommendation:</B> Drop the setuid unless you actually need a =
PPP=20
    connection.=20
    <P></P>
    <LI><TT><B>/usr/sbin/ffbconfig f none 4555 root bin 58980 12585 =
944695292=20
    SUNWffbcf </B></TT>
    <P>Another setuid <B>root</B> tool for mucking with graphics =
hardware (this=20
    time the FFB Graphics Accelerator). This is part of the <EM>"Creator =

    Graphics Configuration Software"</EM> (SUNWffbcf) package. Same=20
    recommendation:=20
    <P><B>Recommendation:</B> Drop the setuid -- if you need to =
configure the=20
    graphics hardware <B>su</B> first.=20
    <P></P>
    <LI><TT><B>/usr/sbin/igsconfig f none 4555 root bin 37260 36326 =
941496138=20
    SUNWigsu </B></TT>
    <P>Another setuid <B>root</B> tool for mucking with graphics =
hardware (this=20
    time the IGS Graphics Adaptor). This is part of the <EM>"IGS =
CyberPro2010=20
    DDX (OW) Driver and Utilities"</EM> (SUNWigsu) package. Same =
recommendation:=20

    <P><B>Recommendation:</B> Drop the setuid -- if you need to =
configure the=20
    graphics hardware <B>su</B> first.=20
    <P></P>
    <LI><TT><B>/usr/sbin/m64config f none 4555 root bin 28388 54466 =
944595359=20
    SUNWm64cf </B></TT>
    <P>Another setuid <B>root</B> tool for mucking with graphics =
hardware (this=20
    time the M64 Graphics Accelerator). This is part of the <EM>"M64 =
Graphics=20
    Configuration Software"</EM> (SUNWm64cf) package. Same =
recommendation:=20
    <P><B>Recommendation:</B> Drop the setuid -- if you need to =
configure the=20
    graphics hardware <B>su</B> first.=20
    <P></P>
    <LI><TT><B>/usr/sbin/pgxconfig f none 4555 root bin 102904 64555 =
929538945=20
    TSIpgxw </B></TT>
    <P>Another setuid <B>root</B> tool for mucking with graphics =
hardware (this=20
    time the PGX32 (Raptor GFX) Graphics Accelerator). This is part of =
the=20
    <EM>"PGX32 (Raptor GFX) X Window System Support"</EM> (TSIpgxw) =
package.=20
    Same recommendation:=20
    <P><B>Recommendation:</B> Drop the setuid -- if you need to =
configure the=20
    graphics hardware <B>su</B> first.=20
    <P></P></LI></OL>
  <P>The <B>pfexec</B> tool may be great solution for managing fine =
grained=20
  access to services. It may, until it's had some time in the market, be =
a=20
  security problem. While it's nice to see support for lots of display=20
  accelerators it's very dangerous to see all the setuid <B>root</B> =
tools for=20
  mucking with them. The <B>prtdiag</B> program is another needless =
instance of=20
  allowing all users access to kernel information. The support for =
dialup PPP is=20
  nice was well -- for those who need it -- but a needless security =
exposure for=20
  everyone else.=20
  <P>The cautious system manager should restrict access to these new =
tools by=20
  dropping the setuid on all of them -- none are required for the casual =
user.=20
  These additions are, in my opinion, an unwarranted risk. You can =
reduce your=20
  risk by using the <A=20
  =
href=3D"http://ist.uwaterloo.ca/security/howto/Solaris8_setuid.sh">Bourne=
 Shell=20
  script</A> that implements the recommendations made here and in the =
companion=20
  paper on Solaris 7. </P></BLOCKQUOTE>
<HR align=3Dcenter width=3D"90%">

<H3>See Also</H3>
<BLOCKQUOTE>Some further reading for the brave or curious:=20
  <UL>
    <LI><A href=3D"http://yassp.parc.xerox.com/">YASSP: Yet Another =
Solaris=20
    Security Package</A> Jean Chounard=20
    <LI><A =
href=3D"http://www.science.uva.nl/pub/solaris/solaris2/">Solaris 2=20
    FAQ</A> Casper Dik=20
    <LI><A href=3D"http://sunsolve.sun.com/">SUNSOLVE ONLINE</A> =
(vendor's site)=20
    <LI><A href=3D"http://docs.sun.com/">Sun Product Documentation</A> =
(vendor's=20
    site)=20
    <LI><A=20
    =
href=3D"http://www.sunworld.com/sunworldonline/common/security-faq.html">=
The=20
    Solaris Security FAQ</A> (sunworld -- Peter Baer Galvin) =
</LI></UL></BLOCKQUOTE>
<HR>

<DIV align=3Dright><SMALL><I>2000/08/17 - 2001/03/12; <A=20
href=3D"mailto:reggers@ist.uwaterloo.ca">Reg Quinton</A></I></SMALL>=20
</DIV></BODY></HTML>

------=_NextPart_000_0036_01C16CE7.8C9C8E40
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://ist.uwaterloo.ca/ISTlogo.gif

R0lGODlhYABfALMAAP///wAAAJ2dnYAGHPDm6F1dXSwsLNK3vKJJWkZGRv7+/saQmrNreIKCgpIq
PeHM0CH5BAEAAAAALAAAAABgAF8AAAT+EMhJq7046827/2AojmRpnmiqrmzrvuZxbAoB3yAzT8ww
MJPHAOHY4Y4SI2AxUCQHB6ZzCR0ikUKGDXCASoSL3rQHcAAzhMP2SmIOtorfhFnkaQcLjcMhZ48I
CE0TCGcbBGsXe10Pfh0EOhMEPkonj10OD4iNFwd7A4wSCwdTKZKieJsbCAt7DqQuXT6gCpSpAAoO
C4SaLWmgAEK/jWu4XpsMDo+8OIF5Eq9sTg5EdVcKrM22EmY+DNDMA8nI32wPZsJHgEXhBOTat3vL
KQqBMgju2g9drDfF6O8UOmHDh4LAAoLvEARyoaAQQA7XaqFghfDhhUcM/oWQhMrih2v+PpyZIMDH
oUcNgfZU9HBA40kLZm693KQPxQMG3jIcaMCTp4cHDwQIHSpgCwGiSJMOlXgCFx8EGQQEmBrAgKEC
BqhqnbpD6tavXwtguKlFhBBaDqJuzaCgAditOw68nRtArIU4Q6BuDBcTg9epVi8oSECXatfCYO1W
MCVFxIFV+P5WxVAAMdcklrcqrpAr3EoRAgyINpDgguTCcUUnUJ1V62rSohtgeLTA5QVR8kQQaE21
AFMNbqkGhkHkUwq5WmWPCA4YRycfuU4wn/rZwvThH/SJ3BDl8W8JAlav3iyhcu8S10HgDQdLK/by
WsmDSA9ClLncJCS/B2B+qvwP9H3+cAAyxqygn3Xu4QeceyHQYdwGQoTEwYEVnNZAdRQECMIDCnHQ
BU7fgcfgYl8ZUFQIGjriQx8aCKTGhCNW0N9WBhRwIgcpdoBbBz1MAqNwF/E2l4345OgCUAoCQKEF
u2XWwDJGarMkk9PRZQAvUWpwyAtTXhQeYldWkGUG65g0G5IexmjITqu9pdwEXXJAEgNEbMDHitv5
peYHRwlJXYZ7yllSWijhtEBtPzZHwmBbCQAokCHgVBMLcYJAgGaPKupRpSDMWNoEY27CKYBqhtrI
qB5MaaofqHag4ao2VdQqB55mOlkID2D4WJ6cbJUkW1u9CQCsc5hR3T4IKRBsCTP+BqDErIv15cEh
tlFAWHzV3nWAnwG8QuwzW76A3FfKKcAabOi6KWagDzXr3zOZJbgupC8xiikAl8Z72byaspGkAs3a
pWy8Bmi06iMotERIBwdcW5cE+SKWgADurLqPCXixku0EtAiwgwJKIZUrhEjJqU+BIxSxh5kzwbTi
gyMUg0nLNGgn7QgMHEQzWxTgEmJ29+xMwS5BqBCLzjs35AMCvwoYThZCd/EIOytcQ09HNEuyBxMb
R4r1zo/lnEwvOxiURyYPDbgGMk2TEMgPN6eCDB9tV4JHLHWrAAcUwfg7Dd1yuyJBOGz7MXUt7Rxx
Mb5EN0LLBcgskLfXk18x9Q94lWNACyhaC91D4aV44sxjmePQOQtMAFCn0KEUiI1tq0MchRVUsMLy
TBR98UNjSzROhC42aN2DDdeYUbotHwZiw4c4SfB5R9OYwnoH9CjifBNrDwBAH2KsMv20I+M7RB9S
9PUA0t//IUMkB6Gd/vvwxy///PTXz0EEADs=

------=_NextPart_000_0036_01C16CE7.8C9C8E40
Content-Type: image/jpeg
Content-Transfer-Encoding: base64
Content-Location: http://ist.uwaterloo.ca/security/howto/images/back.jpg

/9j/4AAQSkZJRgABAgEASABIAAD/7QG4UGhvdG9zaG9wIDMuMAA4QklNA+kAAAAAAHgAAwAAAEgA
SAAAAAAC2gIo/+H/4gL5AkYDRwUoA/wAAgAAAEgASAAAAAAC2gIoAAEAAABkAAAAAQABAQEAAAAB
Jw8AAQABAAAAAAAAAAAAAAAAAAIAGQGQAAAAAABAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAA4
QklNA+0AAAAAABAASAAAAAEAAQBIAAAAAQABOEJJTQPzAAAAAAAIAAAAAAAAAAA4QklNJxAAAAAA
AAoAAQAAAAAAAAACOEJJTQP1AAAAAABIAC9mZgABAGxmZgAGAAAAAAABAC9mZgABAKGZmgAGAAAA
AAABADIAAAABAFoAAAAGAAAAAAABADUAAAABAC0AAAAGAAAAAAABOEJJTQP4AAAAAABwAAD/////
////////////////////////A+gAAAAA/////////////////////////////wPoAAAAAP//////
//////////////////////8D6AAAAAD/////////////////////////////A+gAADhCSU0EBgAA
AAAAAgAC/+4ADkFkb2JlAGSAAAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMTGBEM
DAwMDAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQUDg4ODhQR
DAwMDAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAYABgAwEiAAIR
AQMRAf/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIEBQYHCAkKCwEAAQUBAQEBAQEAAAAAAAAAAQAC
AwQFBgcICQoLEAABBAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEFQVFhEyJxgTIGFJGhsUIjJBVSwWIz
NHKC0UMHJZJT8OHxY3M1FqKygyZEk1RkRcKjdDYX0lXiZfKzhMPTdePzRieUpIW0lcTU5PSltcXV
5fVWZnaGlqa2xtbm9jdHV2d3h5ent8fX5/cRAAICAQIEBAMEBQYHBwYFNQEAAhEDITESBEFRYXEi
EwUygZEUobFCI8FS0fAzJGLhcoKSQ1MVY3M08SUGFqKygwcmNcLSRJNUoxdkRVU2dGXi8rOEw9N1
4/NGlKSFtJXE1OT0pbXF1eX1VmZ2hpamtsbW5vYnN0dXZ3eHl6e3x//dAAQABv/aAAwDAQACEQMR
AD8A9GHtHKbcToFKQmn5BFSwlS8p1TaKQLQElLFgTe3hJz5UNZSUkcdICZo8U0kJCSkpnP7o+aGT
rqiF2kKOwclJSzXaqTgCowJTgT3SU//Q9FAcE+3u5Rc4ypAyNSipQMmAE5b4mEwIHCkAOTqUlMDH
ASACRBJ0TQQUlMnN00TNHjwn3GIT699ElK3DwTF274JbR3PyShJSgB2GiRmNE4BPJ0UiQElP/9H0
QCU5GibcVMERqipgCZRI8SogDnukZnQJKZEho05UdeSmg904geZSUrhNukqYb4qLi1qSlvhqniOT
qnDhGiiG6yUlMtY0US091MEnRo+ag+Qkp//S9GO3gJASkPIJ4J0CKlSBwmk/BLYZklOGg8lJSwPh
qnBhMSQYCcDTXRJSxeeygZKmSANAo6JKUAQlOvKm0AhRLDKSmQPYapbZ1KW6BCYvJ0SU/wD/0/Rw
AdJUpa1QGvCRb4mEVLPdPCZpSjXRSASUtu8FJuupUHAgqTYiSUlLu93CiWQFOWhR55OiSlhITgHu
lpymJKSlyG90vhoEhPhqlEauPySU/wD/1PRwY0ak4QOZKZvkJKltJ5RUj1TsKk4gaBRhJS5IJ4SM
p5ACaZSUrb4n5JAeSbvpqpapKXAJ1KTiAmc48BQM90lLh5lORPKiG90jokp//9k=

------=_NextPart_000_0036_01C16CE7.8C9C8E40--