COMMAND
admind
SYSTEMS AFFECTED
Most UNIXes running admind.
PROBLEM
Admind is the daemon used by system administration tools to
perform distributed system administration operations. The admind
daemon is started automatically by the inetd daemon whenever a
request is received. It can also be configured for logging, and
certain command line options can be set, like -s which is the
security level. There are 3 levels of security associated with
the -s option:
0 - Set authentication to none. All UIDs and GIDs are set to
nobody by admind.
1 - Set authentication to weak. GIDs and UIDs are set by admind
according to their "authentication credentials" set by
auth_sys. If an operation calls for a stronger security level,
admind demotes the user identity to nobody, and then checks
whether nobody is authorized to execute the operation.
AUTH_SYS client credentials are easily forged. No check is
done that the user ID of the client represents the same user
on the server system as on the client system. It is assumed
that user and group identities are set up consistently on the
network. This security level is the default.
2 - Set authentication to strong. Clients' user and group
identities are set by admind from user and group IDs from
netid.byname for NIS, or cred table for NIS+.Client identities
are accepted by admind only when they have satisfied the
AUTH_DES authentication mechanism. The admind daemon checks
whether the client identity is authorized to execute the
operation.
Admind runs insecure by default. Any user can run it and change
the password file, giving them administrator access (root).
SOLUTION
Disable admind in inetd.conf or run it more securely by adding
the -s 2 flag in the inetd.conf file like so:
100087/10 tli rpc/udp wait root
/usr/sbin/admind admind -S 2
Patches available at;
Solaris Patch ID: 101384-XX at Sun Patches