COMMAND
XNTPd
SYSTEMS AFFECTED
Solaris 2.6, 7
PROBLEM
John Smith found following. He noticed that the XNTP daemon on
Solaris 2.6 and 7 creates its drift file
(default=/etc/inet/ntp.drift) world-writable (666). Even changing
the permissions to something sane the permissions eventually get
set back to 666 (not sure if this is at daemon restart, update of
the drift file or both). There's not a whole lot you can do with
this hole, though. xntp will use it as a hint on how good the
local clock is but will put only limited trust in it. (You could
copy a big file there, but again, that file disappears).
SOLUTION
Simply add a umask command to the beginning of the XNTP startup
script (/etc/init.d/xntpd). A standard default umask of 022 for
all programs or xntpd would fix this. In the next release, the
default umask will likely be 022. What also helps is:
setfacl -m d:u::7,d:m:5,d:g::5,d:o:5 /etc/inet
Which forces all files created in the directory to have mode 644
or 755. The solaris FAQ says:
3.50) How can I prevent daemons from creating mode 666 files?
By default, all daemons inherit the umask 0 from init. This
is most problematic for a service like ftp, which in a
standard configuration leaves all uploaded files with mode
666.
To get daemons to use another umask execute the following
commands in /bin/sh and reboot:
umask 022 # make sure umask.sh gets created with the proper mode
echo "umask 022" > /etc/init.d/umask.sh
for d in /etc/rc?.d
do
ln /etc/init.d/umask.sh $d/S00umask.sh
done
Note: the trailing ".sh" of the scriptname is important, if
you don't specify it, the script will will be executed in a
sub-shell, not in the main shell that executes all other
scripts.
In Solaris 2.6 and later, in.ftpd(1M) allows setting its umask
in /etc/default/ftpd.
The most recently posted version of the FAQ is available from
http://www.wins.uva.nl/pub/solaris/solaris2/