COMMAND

    /var permission problems

SYSTEMS AFFECTED

    Solaris 2.3, 2.4, and 2.5 , 2.5.1, 2.6 SPARC and x86

PROBLEM

    Careful examination of Solaris operating systems (running find(1))
    on  sun4c,  sun4m,  and  sun4u  platforms  yielded  the  following
    results.   Solaris for  x86 platforms  may be  similarly affected.
    After checking all  machines with the  same set of  commands, CPIO
    has found the following permission problems with these files (here
    only for 2.5.1 and  2.6).  Any user  can fill var (stopping  local
    logging,  causing  all  kinds  of  problems  etc..) or put a rogue
    package in /var/spool/pkg then the admin unsuspectingly just  does
    a pkgadd and dosent verify his  or her packages, this can lead  to
    root compromise.  Credit goes to CPIO and Matthew R. Potter.

    Solaris 2.5.1:

        /var/adm/vold.log (mode 666, root:root)
        /var/adm/spellhist (mode 666, bin:bin)
        /var/adm/messages  (mode  666,  root:other)  NOTE: this is the
                                first set of permissions on this file.
                                newsyslog   fixes   this   during  the
                                archive process.
        /var/adm/log/asppp.log (mode 666, root:root)
        /var/news (directory, mode 777, bin:bin)
        /var/log/syslog  (mode  666,  root:other)  On initial install,
                                this  is  664,  but  when rolled over,
                                becomes 666. Patch 104613 fixes this.
        /var/log/sysidconf.log (mode 777, root:other)
        /var/sadm/install/.pkg.lock (mode 666, root:root)
        /var/spool/lp/fifos/FIFO (mode 666, lp:lp)
        /var/lp/logs/lpsched (mode 666, root:root)
        /var/lp/logs/lpNet (mode 666, root:root)
        /var/preserve (directory, mode 777, bin:bin)
        /var/spool/pkg (directory, mode 777, bin:bin)

    Solaris 2.6:

        /var/adm/vold.log (mode 666, root:root)
        /var/adm/spellhist (mode 666, bin:bin)
        /var/log/sysidconf.log (mode 777, root:other)
        /var/saf/_log (mode 666, root:root)
        /var/dmi/db/1l.comp (mode 666, root:root)
        /var/dmi/db/1l.tbl (mode 666, root:root)
        /var/snmp/snmpdx.st  (mode 666, root:root)
        /var/snmp/snmpdx.st.old (mode 666, root:root)

SOLUTION

    There are  public-domain scripts  that fix  at least  some of  the
    permissions in question.   Some patches fix some  problems-- patch
    104613 fixes the /var/log/syslog problem on 2.5.1.

    In addition, Casper Dik has a program called "fix-modes" which is
    available from:

        ftp://ftp.wins.uva.nl/pub/solaris/

    Run  ASET(SUNWast),  but  not  on  highest  level;  this  is  good
    procedure for any solaris box before it goes on a network as  well
    as running  fixmodes. ASET  helps permissions  from drifting  to a
    lower privlage  level (it  seems in  solaris if  you dont  run any
    type of perm changing program permissions seem to get progressivly
    worse over time).  Also,  there is cfengine (GNU software)  to set
    owner/group/permissions for such things.   This fixes many of  the
    descrepancies detailed here.