I wrote:
>Hi Folks -
>
>I am confused here. I have three Suns and they don't agree! I'm sure
>someone can tell me:
>
>What ownerships and permissions should I have for files (and directories)
>under /var?
>
>Thanks!
Well, there really was no consensus. The greatest amount of agreement was
in the permissions of files in /var, followed by near agreement on who the
user-owner of those files should be (which is contradicted by CERT). It was
surprising that one-third of the respondents did not report who the group-
owners were -- as if that was not relevant to the question. Only one person
reported on the files in subdirectories of /var. Finally, one person passed
along the CERT advisory, CA--93:03, which warns of various ownerships and
permissions that were set insecurely by Sun in all of the 4.1[.x] releases.
Excerpts from the advisory, and the patch script are included below.
The /var directory:
------------------------------------------------------------------------
There was a difference of opinion on the permissions for /var itself,
each of the following getting one vote:
drwxr-xr-x 6 bin bin 512 Apr 17 04:50 /var
drwxr-xr-x 10 root wheel 512 Apr 7 20:50 /var [said to have been
set by suninstall
for 4.1.3]
drwxrwxr-x 14 root wheel 512 Feb 9 16:01 /var
Files in /var:
------------------------------------------------------------------------
Two people had these permissions:
drwxr-sr-x 5 bin staff 512 Apr 17 04:05 adm/
drwxr-sr-x 2 bin staff 512 Jul 23 1992 crash/
drwxr-sr-x 2 bin staff 512 Apr 21 02:00 log/
drwxr-sr-x 4 root staff 512 Jul 23 1992 net/
drwxr-sr-x 3 bin staff 512 Apr 9 23:23 preserve/
drwxr-sr-x 13 bin bin 512 Apr 19 12:24 spool/
drwxrwsrwx 3 bin staff 512 Apr 21 08:24 tmp/
drwxr-sr-x 5 root staff 512 Apr 8 21:05 yp/
Notice that the sticky bit is set on the directories. Only one of these
people showed the group owners; the other person mentioned that this was
under 4.1.1. So, 4 machines agreed on the user-owner and 2 machines
agreed on the group owner.
Another respondent had these permissions on his 3 machines:
drwxr-xr-x 6 bin bin 512 Apr 17 04:50 adm/
drwxr-xr-x 2 bin bin 512 Oct 11 1990 crash/
drwxr-xr-x 2 bin bin 512 Apr 17 04:05 log/
drwxr-xr-x 4 root wheel 512 Oct 11 1990 net/
drwxr-xr-x 20 root wheel 512 Apr 20 06:05 spool/
drwxr-xr-x 3 bin bin 512 Aug 24 1992 yp-/
Notice that the sticky bit is not set.
Another person agreed with the user-ownership (group ownership was not
given) but differed from one or both of the above for:
drwxrwsr-x 3 root 512 Apr 19 03:04 adm/
drwxr-sr-x 21 bin 512 Aug 6 1992 spool/
drwxr-sr-x 5 bin 1024 Apr 23 08:21 yp/
Files in subdirectories of /var:
------------------------------------------------------------------------
Only one person sent listings of these directories. Since no conclusion
can be drawn from only one sample, I have not included that listing (but
thanks, Paul).
CERT Advisory:
------------------------------------------------------------------------
Here are two excerpts:
"The default permissions on a number of files and directories in SunOS
4.1, 4.1.1, 4.1.2, and 4.1.3 are set incorrectly. These problems are
relevant for the sun3, sun3x, sun4, sun4c, and sun4m architectures.
They have been fixed in SunOS 5.0."
"File permissions on numerous files were set incorrectly in the
distribution tape of 4.1.x. A typical example is that a file which
should have been owned by 'root' was set to be owned by 'bin'."
This is the relevant part of the patch script from patch 100103-11. The
script sets the permissions and ownerships as shown:
file mode user group type
---- ---- ---- ----- ----
/var 02755 root staff directory
/var/adm 02755 root staff directory
/var/adm/acct/fiscal 02755 root staff directory
/var/adm/acct/nite 02755 root staff directory
/var/adm/acct/sum 02755 root staff directory
/var/log 02755 root staff directory
/var/spool 02755 root staff directory
/var/tmp 03777 root staff directory
/var/yp 02755 root staff directory
/var/yp/binding 02755 root staff directory
/var/yp/`domainname`/mail.aliases.dir 00644 root staff file
/var/yp/`domainname`/mail.aliases.pag 00644 root staff file
Thanks to everyone who responded!
Mark Anderson
----------------------------------------------------------
The MITRE Corporation manderso@mitre.org
7525 Colshire Drive, MS W747 voice: (703) 883-6439
McLean, VA 22102 FAX: (703) 883-1905
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:07:46 CDT