COMMAND

    tape devices + logs + su

SYSTEMS AFFECTED

    IRIX 6.4

PROBLEM

    Harhalakis Stefanos found following.  On Irix 6.4 the tape devices
    (in /hw/tape) may be created  with false permissions.  Seems  like
    they are  created using  the current  umask.   (When using su, the
    current umask will  not change (unless  there is a  umask entry in
    root's .cshrc)).   So it  is possible  to have  those devices with
    mode 644 or even 666, which is bad news, because anyone could  use
    xfsrestore  to  get  any  file.   You  can  restore the files to a
    different location, than the  original.  xfsrestore will  give you
    files like the shadow with  pleasure.  An attacker needs  to know,
    only the time you use to backup your / partition (any  incremental
    level can be forced to backup /etc/shadow, by simply changing your
    password).

    Also, /var/adm/SYSLOG  contains the  failed login  names (even  if
    they don't exist) and by default,  this file is forced to be  mode
    644 (root's  crontab will  take care  for this,  when rotating the
    logs).

    Finaly, when  using su,  the user's  .cshrc will  be executed with
    privileges  of  the  target  user  (if  the su is succesful).  For
    example, if user nobody has a cp /bin/sh /tmp; chmod 6755  /tmp/sh
    in his .cshrc and  he use su to  become root, a rootshell  will be
    available in /tmp.  This is valid only for succesfull su's.

SOLUTION

    In IRIX 6.3 and higher you can specify what the mode of the device
    file is  with the  file /etc/ioperms.   See man  ioconfig for more
    info.