>following may be useful to any using SunOS 4.1.3_U1 (and especially since
>Bruce's email came to me just before I was going to send this (: ). I'll have
>to
>study Bruce's comments (Bruce: what's the -:::::: do in passwd?);
The MAN pages for passwd [PASSWD(5) ] tell us that the passwd file
[ /etc/passwd ] can have lines beginning with + which means to incorporate
entries from the Network Information Service (NIS). As shipped by SUN,
the standard installation includes a line that reads something like,
+::::::
Because SunOS 4.1.x doesn't always act as expected, and because none
of the *experts* I've been reading trusts NIS {recent post of top ten
unix security defects had NIS at the top}, I replaced the + with a - to give
positive closure of the shipped hole. If you run NIS, which I do not,
this hole makes *anybody* {read, Joe the student cracker} on your NIS
server a user on your local system.
[much wise counsel from Charlie Fry munched]
>4. Disable non-console root logins by removing secure from all but the first
>(console) line in ttytab.
The experts all write that you should even remove the secure from the
console line in ttytab because forcing an su to root from an identified
user gives you logging information on who is trying to become root
{check /var/adm/messages* for your logging information}.
>5. Limit su priviledges with group by adding only managers names in wheel line:
>
> wheel:*:0:root,cathy
That's one I hadn't heard of before, but its very good.
>6. Allow exporting (cross mounting) only to machines you know about, and
>use complete node names when specifying (in exports):
>
> /usr/openwin -ro,access=name.at.node.address
And note the -ro for read only exports. This means that Joe cracker
can't IP spoof and write his own little gateway into your machine
on a conveniently open disk. Also, never export / or /etc read only
or anmy other way. There is no sense in letting others read your
configuration, passwd file, and so forth. {Perhaps somebody could
tell us why /etc/passwd needs to be world and group readable when
it is only root writable and you aren't going to run finger or rusers
I've asked on the security newsgroups and nobody replied.}
>7. Make sure .rhosts are nonexistant, or very carefully controlled.
This is absolutely essential. Personally, I delete all .rhosts
>8. Control passwords: I make users give me their passwords and changes,
>and I check them about once a month, and request they change them about
>every six to eight weeks. I do keep a list of the passwords on paper, but
>don't worry as much about this security breach as a possible short, poor
>password a nontypist user might change to that would allow an external
>hacker to get in. I force users to use a
>combination of small and caps and numbers in an eight character
>password.
I also run Crack against them. I'm told that you can replace the
passwd command with a version that compels better password selection,
but I just haven't had time to compile and install that code {have the
code for it, however}. Password control is really a must.
>I just looked over my patch documentation, and the following are recommended
>by Sun for 4.1.3_U1:
>
>Solaris 1.1.1 Patches Containing Security Fixes:
>------------------------------------------------
>
>101434-03 SunOS 4.1.3_U1: lpr Jumbo Patch
>101440-01 SunOS 4.1.3_U1: security problem: methods to exploit login/su
>101558-03 SunOS 4.1.3_U1: international libc jumbo patch
>101579-01 SunOS 4.1.3_U1: Security problem with expreserve for Solaris 1.1.1
>101587-01 SunOS 4.1.3_U1: security patch for mfree and icmp redirect
>101621-02 SunOS 4.1.3_U1: Jumbo tty patch
>101665-03 SunOS 4.1.3_U1: sendmail jumbo patch
>101679-01 SunOS 4.1.3_U1: Breach of security using modload
>101759-02 SunOS 4.1.3_U1: domestic libc jumbo patch
>102060-01 SunOS 4.1.3_U1: Root access possible via forced passwd race
>condition
>100448-02 OpenWindows 3.0: loadmodule is a security hole.
>100452-68 OpenWindows 3.0: XView 3.0 Jumbo Patch
>100478-01 OpenWindows 3.0: xlock crashes leaving system open
>
>Yah, I installed all these plus 13 more.
>We didn't change to Solaris 2.x because of comfort with Berkeley shell, but
>these patches might get one over the hump to System V (although I wonder
>if it's any better?).
>
>Anyway, hope this helps (from one still learning--and not liking--UNIX
>security problems).
Just as a side note, most of these patches were incorporated into
SunOS 4.1.3_U1 rev. B -- Solaris 1.1.1 rev. B. However, the rev. B
security patch uses the cut command which is only available if the
System_V bins are included on loading. Note that Varian recommends
that you *not* install System_V which means that the SunOS 4.1.3_U1
rev. B security patch 100103-11 which changes various file permissions to
a more secure mode will not run {not to mention software from other
places which assumes a functioning cut on your machine}. Of course,
some bright CS type could probably write a cut script or program to
correct this problem {if somebody does, please post it because that
solves some patch problems}.
For rev. B, there is also a patch ow3_u1 for Openwindows 3 which
covers all the Openwindows patches given above.
Anyway, I hope this also helps {I know what you mean about learning
and not liking UNIX security problems. I'm in the same boat.}
-- Bruce D. Ray bray@indyvax.iupui.edu Operations Director NMR Center IUPUI Physics Dept. 402 N. Blackford St. Indianapolis, IN 46202-3273voice: 317-274-6914 fax: 317-274-2393