Questions regarding this article should be directed to the authors at tmk@cse.ucsc.edu or bwcarter@cse.ucsc.edu
We'd like this document to remain current and evolve to become even more useful to the Unix community. Please send Solaris 1.1 and 1.1.1 security tips not covered here, along with any necessary pointers or references to beccat@wcmh.com. We will include those we judge suitable along with a credit for the contributor.
Our goal is to provide some of the more basic steps that you can do to improve security on a newly installed SunOS 4.1.3 (Solaris 1.1 or 1.1.1) system. Disclaimer: This is by no means an all-inclusive list of actions, just some of the simple and more common measures. These recommendations come with no guarantees!
The intended audience is anyone responsible for the system administration duties of a machine running SunOS 4.1.3. These recommendations are applicable to a stand-alone workstation, which may be connected to a larger network. It is assumed that the reader has some familiarity with basic Unix system administration. (You should be able to do a basic system installation by yourself, install patches, and use an editor).
Please note that this list limits its coverage to measures
that can be done for a stand-alone workstation. In addition to
the steps listed here, there are many measures that can be taken
to improve the security of an environment. For example,
filtering traffic to port 2049/udp
at the routers
will prevent NFS calls from outside your domain. Such measures,
while extremely helpful, can be quite specific to individual
system needs and can become quite involved. A proper coverage of
these issues would warrant a book, not a short write up. More
detailed coverage of these measures can be found in Reference 2.
The truly paranoid may wish to implement these recommendations while in single user mode, as an extra measure of security to avoid possible subversive shenanigans by a wily cracker.
* Some patches may not be required if you are disabling this feature. If this is the case, ensure that all relevant files have had their mode changed to remove the set-user-ID bit with chmod u-s <file>.
Please also note that some patches may not necessarily apply,
based on packages installed (US Encryption...) or your
configuration. Carefully check the README
file for
each patch.
Patches are available via anonymous FTP from ftp://ftp.uu.net/systems/sun/sun-dist/.
Back to the Index of Steps.
/etc/inetd.conf
/etc/inetd.conf
file and put a pound
sign (#
) in front of services that are not needed.
/etc/rc.local
file sets up port monitoring
only if the file /etc/security/passwd.adjunct
exists.
Otherwise, if you will be implementing shadowing then you can skip
over this step. If you will not be implementing shadowing and you
will be exporting files then you should modify
/etc/rc.local
to do the following two lines, regardless of whether or not the
passwd.adjunct
file exists.
echo "nfs_portmon/W1" | adb -w /vmunix /dev/kmem > /dev/null 2>&1
rpc.mountd
ypbind
is invoked
with the -s
option
/etc/rc.local
sets up
ypbind
in the secure mode, using the -s
option, only
if the file /etc/security/passwd.adjunct
exists.
If you will be
implementing shadowing then you can skip over this step,
otherwise you should modify /etc/rc.local
to start
ypbind
with
the -s option regardless of whether the
passwd.adjunct
file exists.
options "IPFORWARDING=-1"
/usr/sys/`arch`/conf/README
.rhosts
authentication,
.rhosts
, or
.rhosts
entirely, depending on desired
security level.
.rhosts
and /etc/hosts.equiv
files
for all the ``r'' commands.
+
) into users' .rhosts
file to
allow them to gain access at a latter date. Most users
don't look at their .rhosts
file too often.
.rhosts
prevents crackers from
sniffing your users' passwords, it also make them vulnerable
to IP spoofing (claiming to be a host that you're not).
/etc/fbtab
/dev/nit
/dev/nit
device file is Sun's network interface,
which can be used by crackers that have already broken
into a machine to examine network packets for password information.
# cd /usr/kvm/sys/sun[3,3x,4,4c]/conf # cp CONFIG_FILE SYS_NAMENote that at this point, you should replace the
CONFIG_FILE
with your system specific configuration file, if one exists.
# chmod +w SYS_NAME # vi SYS_NAME # # The following are for streams NIT support. NIT is used by # etherfind, traffic, rarpd, and ndbootd. As a rule of thumb, # NIT is almost always needed on a server and almost never # needed on a diskless client. # pseudo-device snit # streams NIT pseudo-device pf # packet filter pseudo-device nbuf # NIT buffering moduleComment out the preceding three lines, then save and exit the editor before proceeding.
# config SYS_NAME # cd ../SYS_NAME # make # mv /vmunix /vmunix.old # cp vmunix /vmunix # /etc/halt > bThis step will reboot the system with the new kernel.
/etc/ftpusers
/etc/passwd
).
If he is
able to determine your root password, a shell provided
via ftp could be used as a springboard for a superuser shell.
/etc/ftpusers
with the following entries (one per line), including any other
existing accounts for which you don't want to allow ftp access.
root daemon sys bin nobody uucp news ingres AUpwdauthd AUyppasswdd sysdiag sundiag
+
) in /etc/hosts.equiv
/etc/hosts.equiv
should not have any comment lines.
/etc/exports
and remove all
entries you don't want exported. Ensure whatever entries
remain have restricted access.
/etc/exports
file to:
-access=host.foo.bar.edu
option.
ro
option.
nosuid
in
mounts
/etc/fstab
to mount a file system exported by another host. Anyone
gaining access to the other host can create or modify an
existing program which could compromise your system.
This doesn't work on tmpfs file systems.
/etc/fstab
to import a file system.
/etc/ttytab
to remove the
secure option from all entries
/etc/ttytab
allows
logins directly to root
on that tty. If you feel that your machine is not in a
physically secure location, you may choose to remove the
secure option from the console as well. As a result you will
first login as a user in the wheel group and then su to root.
auth
and mail
lines
# The "open EEPROM" pseudo-device is required to support the # eeprom command. # pseudo-device openeepr # onboard configuration NVRAM
/etc/rc
and /.login
/.login
to 077
instead of 022.
/etc
directory should
require write access by world except for dumpdate
,
which requires group write access, and tmp
,
which requires group and other write access.
/etc/rc.local
to comment line(s) that chmod 666 motd
/etc/motd
is the standard message-of-the-day file.
It won't allow people to gain root access, but it could be a
nuisance if they can change this anonymously. Additionally,
it is important to ensure that the line
"rm -f /tmp/t1"
is at the beginning of this
portion of /etc/rc.local
/usr/bin/cu /usr/bin/tip /usr/bin/fusage /usr/bin/nsquery /usr/bin/uucp /usr/bin/uuname /usr/bin/uustat /usr/bin/uux /usr/ucb/rcp /usr/ucb/rdist /usr/ucb/rlogin /usr/lib/uucp/uusched /usr/lib/uucp/uuxqt /usr/ucb/rsh /usr/lib/uucp/uucico /usr/games/hack /usr/games/chesstool /usr/games/fortune /usr/lib/exrecover /usr/games/robots /usr/lib/uucp/remote.unknown /usr/games/hack /usr/games/snake /usr/bin/sunview1/sv_release /usr/etc/rfsetup /usr/bin/allocate /usr/ucb/quota /usr/lib/expreserve
/usr/bin/allocate
is used with C2 security.
/usr/ucb/quota
is used with disk quotas.
/usr/lib/expreserve
is used to recover a
vi
edit session that died.
/usr/etc/shutdown /usr/lib/acct/acctonthey don't need to be set-user-ID.
/usr/bin/wall /usr/etc/trpt /usr/bin/sunview1/toolplaces /usr/bin/iostat /usr/bin/ipcs /usr/ucb/vmstat /usr/ucb/netstat /usr/etc/arp /usr/etc/dmesg /usr/etc/dkinfo /usr/etc/chill /usr/etc/dumpfs /usr/etc/devinfo /usr/etc/nfsstat /usr/old/perfmon /openwin/bin/xload /usr/kvm/pstat /usr/kvm/crash /usr/kvm/getcons /usr/etc/kgmon /usr/etc/trpt
/bin/passwd
program.
/bin/passwd
to be set-user-ID root.
The same applies to the two hard links pointing to
/bin/passwd
, namely /bin/chfn
and
/bin/chsh
.
/etc/passwd
file,
then please note that /bin/passwd
has a race
condition that can be exploited to write to files as root,
allowing a cracker to gain root access.
rpc.yppasswdd
runs as user-ID root on the
NIS server, neither yppasswd
,
ypchfn
, nor ypchsh
need to
be set-user-ID root.
/bin/passwd
, do/etc/passwd
via passwd
, chfn
,
or chsh
, either.
/bin/passwd
with a proactive
passwd
program that checks for bad passwords
(Reference 7), or
# cd /bin # cp passwd passwd.old; chmod 700 passwd.old # adb -w - passwd not core file = passwd /l 'F:' 0x68de 0x68de/w 0 0x68de: 0x463a = 0x0 <CTRL-D> # chmod 4711 /bin/passwdNote that the above address,
0x68de
,
is required for the 0x68de/w 0
step.
/bin/passwd
.
yppasswd ypchfn ypchsh chfn chsh
sync
entry from the
password file
sync
has no password, allowing it to be abused to gain access to the
system. The simplest solution is to live without this feature
and remove this account.
/etc/passwd
into /etc/passwd
and /etc/security/passwd.adjunct
,
/etc/group
into /etc/group
and /etc/security/group.adjunct
,
/etc/rc.local
that
starts audit, and
/etc/security/passwd.adjunct
file has
several other effects in rc.local
that improves
system security
(ypbind -s and rpc.mountd without -n).
/etc/passwd
file has no password for the ``root'' account!
sendmail.cf
to 65534.
Opauthwarnings needmailhelo noexpn novrfy restrictmailqReference 2 and Reference 9
/bin/mail
program so chmod u-s /bin/mail.
/etc/rc.local
that invoke sendmail.
For outgoing mail,
/bin/mail
to be set-user-ID.
/bin/mail
so
chmod u-s /bin/mail.
/etc/rc.local
that invoke Sendmail.
portmapper
, login
,
rshd
, rlogind
, pidentd
from W. Venema, Reference 15
Note: the Australian group SERT (Reference 18) has put together a package named MegaPatch that includes several of these packages as well as many of the patches to SunOS previously mentioned.
Back to the Index of Steps.
Customizing ruserok(3)
.rhosts
authentication entirely,
simply have this
routine return -1. Look at the /usr/lib/shlib.etc/README
file for how to modify libc.so
.
/usr/lib/shlib.etc/README
below the
line:
insert
% mv xccs.multibyte. xccs.multibyte.o
OBJSORT=/usr/lib/shlib.etc/objsort AWKFILE=/usr/lib/shlib.etc/awkfile
Thanks to all the people in comp.security.unix who offered their suggestions, and thanks to the following people for their kind review:
Thomas M. Kroeger (tmk@cse.ucsc.edu) / Braden W. Carter (bwcarter@cse.ucsc.edu)