SUMMARY: umask

From: Friedel Loinger (friedel@wise1.tau.ac.il)
Date: Sun Mar 26 1995 - 09:56:30 CST

My original question was:

>In one of your workstations, running SunOS 4.1.3, the default value
>of umask suddendly changed from 022 to 0. I rebooted the system, but
>the value is still 0.

>Does anybody know, which file in the system defines the default value
>of umask?
>Is there a security hole, which allows users to change this value,
>maybe through sendmail?

Thanks to all people, who replied, especially to Per Hedeland:

neil@bMD.com (Neil Greene)
Erwin.Stuhr@USask.CA
fetrow@biostat.washington.edu
markus@octavia.anu.edu.au (Markus Buchhorn)
kevin@uniq.com.au
Laurinda.Chamberlin@btr0x1.hrz.uni-bayreuth.de (L. Chamberlin)
bern@uni-trier.de
karrer@ife.ee.ethz.ch (Andreas Karrer)
rgough@aol.com (RGough)
per@erix.ericsson.se (Per Hedeland)

One of the suggestions was to define umask 022 in the user's .cshrc-file.
I did this as a temporary solution, but I still wanted to find out,
what happened to our system.

People also recommended to set umask at the top of the /etc/rc* files.
I tried this, but still the value of umask was 0 (if not defined in .cshrc)

Per Hedeland (per@erix.ericsson.se) advised me to check, if /bin/login
has changed. And indeed, this is what happened. A cracker changed the
contents of /bin/login, without changing the checksum and the last time of editing. I then found out, that also /usr/kvm/ps has been altered, and
following new files were created by the cracker:

In /var/tmp:

 -rw-r--r-- 1 root 29350 Feb 13 20:37 loadmodule.out

and in /dev :

 -rw-r--r-- 1 root 4 Feb 13 21:03 ptyr
 -rw-r--r-- 1 root 10 Feb 13 21:03 ptyp
 crw-r--r-- 1 root 59, 0 Feb 13 20:37 evq

 %: cat ptyp
 2 intserv
 
 %: cat ptyr
 ...
 

Does anybody know the meaning of these files?

In the meantime I installed SunOS 4.1.4 instead of 4.1.3 and also applied
the patch 100448-02 (secure version of /usr/openwin/bin/loadmodule)

 __^__ __^__
( ___ )----------------------------------------------------------( ___ )
 | / | Friedel Loinger | \ |
 | / | | \ |
 | / | Wise Observatory | \ |
 | / | Tel-Aviv University, ISRAEL | \ |
 | / | Phone: 972-3-6408546 Fax: 972-3-6408179 | \ |
 |___| |___|
(_____)------------- Email: friedel@wise.tau.ac.il --------------(_____)

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:20 CDT