OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1996: Re: World writable devices in Irix?

Re: World writable devices in Irix?

Douglas Siebert (dsieberticaen.uiowa.edu)
Wed, 3 Jan 1996 21:52:18 -0600 

>
> On Dec 21,  8:52pm, Diego Zamboni wrote:
> > Subject: World writable devices in Irix?
> >
> > I'm just speculating here (I'm not an expert on Irix internals), but the
> > following default permissions in Irix 5.3 look a bit dangerous to me:
> >
> > crw-rw-rw-    1 root     sys       10, 56 Sep 11  1995 /dev/gfx
> > crw-rw-rw-    2 root     sys        0, 30 Sep 11  1995 /dev/keybd
> > crw-rw-rw-    2 root     sys        0, 31 Sep 11  1995 /dev/mouse
> >
> > Does this mean that anybody can read/write to the graphics display, the
> > keyboard and the mouse?
>
>      I expect it does.  But note that there is also:
>
> crw-rw-rw-    1 root     sys       39,  0 Mar  4  1994 /dev/audio
>
> which means that anyone can listen in to what is being said around your
> workstation.
>
>      *ALL* such devices *SHOULD* have their ownership and permissions set to
> what is required by the Xstartup script (in /usr/lib/X11/xdm == /var/X11/xdm).
>  They should also be reset to be owned by root (and not necessarily
> work-readable, otherwise you could snoop on the /dev/audio of a workstation
> which isn't being used) by the Xreset file.
>
>      However, I haven't yet seen a workstation that has any device file
> configuring done in these two files.  And it is not necessarily obvious which
> device files need to be changed, and what permission bits need to be set.
>
>      Workstation vendors *SHOULD* add these parts themselves (they are the ones
> who really know which device does what).  At the very least they could put them
> into an if clause which you have to edit to activate.  But they *SHOULD* add
> the relevent code themselves.....
>
>      I look forward to hearing whether any vendor actually does do this.  I
> will be even more impressed if there is one which does it correctly (and
> adds/changes lines as new devices are added!!).
>


I recall that SunOS (and surely Solaris) set at least some of these correctly
using /etc/fbtab to be owned by the user who logs in to the console.  I would
expect they aren't the only vendor doing this -- though I do recall Sun's fix
was only partial (but that's better than nothing)

Me and another guy around here recently sent HP a very long listing of all
stuff in the 10.01 install we felt had bad permission, including such problems
as the compiler group screwing up and having many compilers installed with
everything 777, kermit being setuid bin, plenty of world-writable device files
in /dev, etc.  Supposedly it is making its way through to people who can do
something about things in HP, but I expect that we'll only see some, but not
all of those changes.  HP-UX 10.10 was in FR3 a couple weeks ago, so none of
this will make it in that (other than maybe the 777 compiler stuff) but I
would expect (hope?) that I will see some of our fixes applied to 10.15 or
10.20 later this year.

We're planning on keeping after them on this, having to hunt for and fix these
things is annoying.  I'd encourage others out there who may have some good
contacts within their respective vendors do the same -- but only if you are
sure you know the difference between permissions that are set in a certain
way because they need to be, and ones that are just carelessness or simple
convenience or laziness.  It wouldn't take more than a couple "fixes" being
suggested that break something before they'd probably dump the whole mess and
figure its not worth the trouble.  We tried to categorize ours into definite
problems, likely problems, and possible problems.  Almost all aren't true
security holes, but having world-writeable files in a system directory isn't
a good idea, IMHO, even if the worst they can do is fill up the partition in
which that file resides or hide that copy of the Linux source outside of
their quota until they get a chance to download it over the weekend.

--
Doug Siebert
dsieberticaen.uiowa.edu