erl@jt.dk (Erik B. Larsen) (02/19/91)
I've noticed af security-hole in SunOS (maybe). If you have a diskless workstation mounted on af server, and they are running NIS, then of cource you only have one entry for root (on the server). Now - everyone can boot a workstation up in single-user, and if you just know a little bit of Unix, then it's easy to make an user called root or something else in the clients /etc/passwd. Then you can boot up in multiuser, and you've free access on the server to delete everything! Anyone, who know how I can solved this problem? I'll like to hear from you. Regards Erik Bruijn Larsen Systemadministrator Jutland Telephone Company Denmark Email: erl@jt.dk ------------------------------------------------------------------------------- Remember: The Sun is always shining! -------------------------------------------------------------------------------
auvsaff@auvc8.tamu.edu (Dave Safford) (02/19/91)
|> |>I've noticed af security-hole in SunOS (maybe). |>If you have a diskless workstation mounted on af server, and they are running |>NIS, then of cource you only have one entry for root (on the server). |> NOPE: the client retains a distinct root, which must explicitly trusted with a "root=" entry in the /etc/exports. By default, remote roots are NOT trusted. |>Now - everyone can boot a workstation up in single-user, and if you just know |>a little bit of Unix, then it's easy to make an user called root or something |>else in the clients /etc/passwd. |> NOPE: You can prevent users from booting single user quite easily - if you remove the "secure" flag from the console in /etc/ttytab, a root password will be required to enter single user. Note, this does not prevent the attacker from booting another remote kernel. This can be prevented through the use of the new eeprom security mode, although it is not available on older machines. The security mode can be set to require a password to perform ANY rom monitor command! |>Then you can boot up in multiuser, and you've free access on the server to |>delete everything! |> |>Anyone, who know how I can solved this problem? RTFM, particularly ttytab, exports, eeprom |>I'll like to hear from you. |> |> |> |>Regards |> |> |>Erik Bruijn Larsen |>Systemadministrator |>Jutland Telephone Company |>Denmark |>Email: erl@jt.dk |> |>---------------------------------------------------------------------- ---------- |>Remember: The Sun is always shining! |>---------------------------------------------------------------------- ---------- The real NFS security problem, occurs when someone does manage to obtain root on a client (despite ttytab, eeprom ...). Even if root is not trusted, root can su to any user, and access his files on the server. Secure NFS was created to fix this problem, but unfortunately, secure NFS isn't. I won't go into details, as having discussed the problems with Sun at their security BOF at the latest uniforum, they are aware of the problem, but have no quick fix.
kdenning@pcserver2.naitc.com (Karl Denninger) (02/20/91)
In article <784@jt.dk> erl@jt.dk (Erik B. Larsen) writes: > >I've noticed af security-hole in SunOS (maybe). >If you have a diskless workstation mounted on af server, and they are running >NIS, then of cource you only have one entry for root (on the server). > >Now - everyone can boot a workstation up in single-user, and if you just know >a little bit of Unix, then it's easy to make an user called root or something >else in the clients /etc/passwd. > >Then you can boot up in multiuser, and you've free access on the server to >delete everything! You are correct. If you can boot single user, and/or get root, you can then su to anyone else and do what you will. However, you can prevent booting single-user. See "security-mode" in the PROM command screen for details. Basically it's a second password you have to know in order to do anything other than boot multiuser from the default drive/server. -- Karl Denninger - AC Nielsen, Bannockburn IL (708) 317-3285 kdenning@nis.naitc.com "The most dangerous command on any computer is the carriage return." Disclaimer: The opinions here are solely mine and may or may not reflect those of the company.
csd35@seq1.keele.ac.uk (Jonathan Knight) (02/21/91)
> In article <784@jt.dk> erl@jt.dk (Erik B. Larsen) writes: >>I've noticed af security-hole in SunOS (maybe). >>If you have a diskless workstation mounted on af server, and they are running >>NIS, then of cource you only have one entry for root (on the server). You can remove the 'secure' option for console in /etc/ttytab and then you won't get a shell. Instead you'll get a demand for a password. -- ______ JANET :jonathan@uk.ac.keele.cs Jonathan Knight, / BITNET:jonathan%cs.kl.ac.uk@ukacrl Department of Computer Science / _ __ other :jonathan@cs.keele.ac.uk University of Keele, Keele, (_/ (_) / / UUCP :...!ukc!kl-cs!jonathan Staffordshire. ST5 5BG. U.K.