paulz@sco.COM (W. Paul Zola) (02/22/91)
chip@tct.uucp (Chip Salzenberg) writes: }I'm sorry, but SCO C2 security is still a botch. In article <43@talgras.UUCP> david@talgras.UUCP (David Hoopes) writes: } }Not exactly, you can choose if you want C2 relaxed or not. There is still }no way to get rid of it. I just spent a whole week wasted because of that }C2 junk. } }I hate C2. I hate it alot. } I have good news for all those who have been having problems with SCO's C2 Security. SCO Support has just released a Support Level Supplement (SLS) which is designed to resolve many of these problems. The supplement name is "The SCO UNIX System V/386 Release 3.2 Security Supplement", and the SLS number is unx257. This SLS is availible for anonymous UUCP via sosco, and through the usual support channels. For those who are interested, I am enclosing an excerpt from the cover letter which accompanies unx257. This excerpt should cover the main features of unx257. I hope that people will find this useful and informative. - Paul Zola Software Support Engineer paulz@sco.COM Gotta tend the earth if you want a rose. - Emily Saliers DISCLAIMER: I speak for myself, and not for SCO. ################## cut here ################ cut here ################## What does Support Level Supplement (SLS) unx257 contain? RELEASE: SCO UNIX System V/386 Release 3.2 Operating System SCO UNIX System V/386 Release 3.2 Operating System Version 2.0. Open Desktop Release 1.0 SLS unx257 consists of one diskette that can be installed on SCO UNIX System V/386 Release 3.2 Operating System, SCO UNIX System V/386 Release 3.2 Operating System Version 2.0, and Open Desktop Release 1.0. Release Notes and Manual pages that were shipped with SLS unx257 are: ADDXUSERS(ADM); ASROOT(ADM); AUTHCK(ADM); ALE(ADM); FIXMOG(ADM); RMUSER(ADM); PASSWDUPD(ADM); TTYUPD(ADM); TCBCK(ADM); UNRETIRE(ADM); CRONTAB(C); PASSWD(C); LOGIN(M). Features in SLS unx257 SLS unx257 includes the following features: Enhanced crash recovery, including modifications to tcbck(ADM). Command-line utilities, rmuser(ADM) and unretire(ADM), for removing, retiring and unretiring users. The utility, passwdupd(ADM), to create a user who was added to /etc/passwd file manually. A hushlogin feature in login(M) for suppressing copyright and other messages during a login. A new authck(ADM) -y flag that silently corrects any errors in the subsystem database. The utility, fixmog(ADM), to change the permissions of all files to match their entries in the File Control database. The utility, cps(ADM), for setting the permissions of individual files to match their entries in the File Control database. A locking utility, ale(ADM), that enables administrators to write scripts that update the Authentication database. The utility, ttyupd(ADM), that updates the Terminal Control database to match /etc/inittab. The utility, asroot(ADM) that allows an authorized user to run a defined set of commands as superuser without the root password. New semantics of PASSLENGTH in /etc/default/passwd that represent the absolute minimum password length to be enforced by passwd(C). Modifications to su(C) - Instead of allowing a user to su to root only, users can su to any account if they have the account password. - The system can be configured to a C1 level of security so that su transitions also transfer the authorizations of the account. Other Improvements and Additions SLS unx257 also includes the following improvements and additions. Note: Unless otherwise stated the problems described below are present in all the software environments specified earlier. addxusers(ADM) - Now handles a relative pathname for the name of the input file. - Allows the passwords of newly added accounts to be changed if they did not have aging information. authck(ADM) - Increased robustness to repair additional errors in the subsystem database files. sulogin(ADM) - The LUID is now set under all circumstances. - The gid is set to root's group as specified in /etc/passwd. sysadmsh(ADM) - The useshell helper program used by sysadmsh now displays descriptive error messages. login(C) - Does not produce the 'cannot access Terminal Control database' message when a large number of concurrent logins take place. - The override shell spawned in emergencies now has its LUID set. - All combinations of null passwords and PASSREQ work as documented. - Use of an invalid username is now audited as <bad>. passwd(C) - Lockfiles are no longer left behind when setting a dial-up password. su(C) - No longer makes two entries in the sulog file each time it is used. umask(C) preservation - auths(C), su(C), newgrp(C), and at(C) now use the current value of the user's umask rather than setting it to 077. *********** Important Notes ************* (1) Because the sysadmsh System->Security->Relax selection edits system default files that are then changed by system administrators, there was no accurate way for utilities, such as rmuser(ADM), to determine if the system had been relaxed. To indicate relaxed behavior, edit the /etc/auth/system/default files and change the u_secclass field from "c2" to "c1". NOTE: If you have a trusted system, do NOT change this. (2) login(M) and su(C) now start the shell with the supplemental group list set. The supplemental group ID list is used in addition to the effective group ID (EGID) in determining file access permissions. The EGID is still used in file creation. The maximum number of groups in the supplemental groups list is defined by the tunable kernel parameter NGROUPS_MAX. It can be changed by running sysadmsh(ADM), selecting System->Configure->Kernel->Parameters and selecting option 3, "Files, Inodes, and Filesystems". The parameter is NGROUPS. (3) login(M) and su(C) set the supplemental group list to the login GID (from /etc/passwd), followed by successive groups (read from /etc/group), of which the user is a member (excluding the login group). If a user is listed as a member of a group more than once, the group ID will appear more than once in the supplemental group list. When the list is full or the end of the group file is reached, the supplemental group list is set. This behavior is functionally equivalent to BSD's, except BSD uses a fixed, instead of configurable, size list. In SCO UNIX System V/386 Release 3.2, supplemental group lists may only be set, they are not used in access decisions. (4) The su(C) feature, allowing a user to gain the authorizations of another account, has been implemented as a temporary solution which involves changing the LUID of the su process. All audit records generated by that process have the LUID of the su'ed user, not the original user. However, the audit reduction program can produce an audit report with audit records labeled with the correct LUID. Because this implementation can reduce the integrity of audit data, this su feature is only enabled if the system is relaxed (see below). The implementation of this feature will be changed in a future release of the operating system. Note that when su'ing from an account, that does not have the nopromain subsystem authorization to an account that does, the shell started by su will still be running in a promain. (5) The new asroot(ADM) utility will also run a command with root authorizations if the u_secclass field is set to "c1". Note that asroot asks for the password corresponding to the LUID, not the RUID. (6) In SCO UNIX System V/386 Release 3.2 Operating System Version 2.0, the file /tcb/lib/setfiles is a nonfunctional utility; this SLS replaces it with a link to /bin/false. This command has been superseded by the new fixmog(ADM) utility. (7) When using passwdupd(ADM) to add users to the system, always add lines at the end of /etc/passwd. (8) On-line copies of the new and replacement manual pages are added to your system during installation. (9) SLS unx257 contains new versions of /etc/profile and /etc/cshrc which have been modified so that no messages are displayed during a hushlogin. If the existing versions of these files have not been altered from the original operating system versions, then the installation script over- writes the old versions with the new versions. If changes have been made, then the new versions are left in /etc/profile.hush and /etc/cshrc.hush. The /etc/profile and /etc/cshrc files are sometimes edited by a product's (such as ODT-DATA and ODT-DOS) installation script. Then SLS unx257 will not overwrite these files and will put the new version as /etc/profile.hush and /etc/cshrc.hush. If the files are not overwritten, then you may want to incorporate the hushlogin changes into your own versions manually, after the installation is complete.