COMMAND

    /dev/rmt/*

SYSTEMS AFFECTED

    Solaris

PROBLEM

    Joshua Grubman found following.  This is rather silly and obvious.
    Under solaris, scsi tape devices (/dev/rmt/*, which are linked  to
    the st@x,x:   devs in /devices)  are created with  the permissions
    bits set to  666. this allows  a mallicious user  with a login  on
    your  system  to  'mt  erase'  the  contents  of  any tape devices
    connected to your system.

    Rob Thomas added.  Say for example, you the unix administrator, as
    a good boy/girl, does a daily backup... That backup is written  to
    the tape.  All is well and  good.  You leave your desk, and  start
    to wander over to the computer  room, to pull the tape out  of the
    drive.  IN that time, someone's done:

        lamer@leeto$ cd
        lamer@leeto$ mt -f /dev/nrmt/0h rewind
        lamer@leeto$ tar xvf /dev/nrmt/0h etc/shadow
        ...
        lamer@leeto$ cd etc
        lamer@leeto$ more shadow
        ..shadow password entry..

    and your shadow password file is open to the world.  Just one,  of
    many,  bad-things(tm)  that  can  be  done  with  lame-arsed  tape
    permissions.

SOLUTION

    The correct and recommend fix is to run bsmconv to turn on  device
    allocation.  This sets all of the device files for removable media
    devices such as  tapes to 0000.   A user who  then wants to  use a
    tape should then:

        allocate st0
            insert tape into drive
        tar/ufs*/cpio/dd  whatever
            remove tape from drive
        dealloate st0

    The same applies to audio and cd devices, though the audio devices
    are  better  dealt  with  using  /etc/logindevperm.   If  you  are
    concerned about security on Solaris you should always run  bsmconv
    to turn on auditing and  device allocation and run ASET  to ensure
    other perms etc are sorted out. (/usr/aset/aset -l high -p)