CERT Vendor-Initiated Bulletin (Silicon Graphics Inc.)

CERT Bulletin cert-advisory at cert.org
Wed Mar 8 21:38:34 UTC 1995

CERT Vendor-Initiated Bulletin VB-95:02
March 8, 1995

Topic: IRIX 5.2, 6.0, 6.0.1 Desktop Permissions Tool 
Source: Silicon Graphics Inc.

To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Silicon
Graphics Inc. (SGI). SGI urges you to act on this information as soon as
possible. SGI contact information is included in the forwarded text below;
please contact them if you have any questions or need further information.

========================FORWARDED TEXT STARTS HERE============================
                Silicon Graphics Inc. Security Advisory

        Title: IRIX 5.2, 6.0, 6.0.1 Desktop Permissions Tool
                Number:         19950301-01-P373
                Date:           March 3, 1995

Silicon Graphics provides this information freely to the SGI community
for its consideration, interpretation and implementation.   Silicon Graphics
recommends that this information be acted upon as soon as possible.

Silicon Graphics will not be liable for any consequential damages arising
from the use of, or failure to use or use properly, any of the instructions
or information in this Security Advisory.

A vulnerability has been discovered in the IRIX 5.2, 6.0, and 6.0.1 operating
systems regarding the permissions tool under the IRIX desktop environment.
Normally, this tool is used by users to modify the permissions on their files
and files they are privileged for.  Under certain conditions, a user may be
able to modify the permissions for any file.  This is identified as SGI
SCR # 265071.

SGI Engineering has investigated this issue and recommends the following
steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED that these
measures be done on ALL SGI systems running IRIX 5.2, 6.0, and 6.0.1 .
This issue is corrected in 5.3 of IRIX and will be corrected in future
releases of IRIX.

- --------------------------
- --- Immediate Solution ---
- --------------------------

The most immediate solution for this issue is to remove the setuid/setgid
bits on /usr/lib/permissions, or to remove the tool entirely.  Removing the
setuid/setgid bits will limit the tool to only function on files owned by
the user using the tool.

        1) Become the root user on the system.

                % /bin/su -

        2) Change the unix permissions level on the desktop
        permissions program.

                # chmod u-s /usr/lib/desktop/permissions
                # chmod g-s /usr/lib/desktop/permissions

        3) Return to previous user.

                # exit

- --------------------------
- --- Long Term Solution ---
- --------------------------

*** IRIX 5.0.x, 5.1.x ****

The versions 5.0.x and 5.1.x of IRIX were limited hardware, specific
releases and have since been obsoleted by later versions of IRIX.  For
supportability reasons, upgrading to at least IRIX 5.2 is recommended
as a first step for all problem resolution.   IRIX 5.0.x, 5.1.x ARE
NOT subject to this vulnerability.

**** IRIX 5.2, 6.0, 6.0.1 ****


For the IRIX operating system versions 5.2, 6.0 and 6.0.1, an inst-able
patch has been generated and made available via anonymous ftp and/or your
service/support provider.  The patch is number 373 and will install on
IRIX 5.2, 6.0 and 6.0.1 .

- -NOTE- Inst-able patches require a patch-aware inst program.  The stock
5.2 inst program with the base install is not patch-aware.  The 6.0
and 6.0.1 inst programs are.  A patch-aware inst program for IRIX 5.2 is
available as patch number 0, 34, or 84.  Any one of these may be used, with
84 the latest, most recommended, and available via your service provider
or the usual SGI anonymous ftp sites.

The SGI anonymous ftp site is ftp.sgi.com (  Additionally,
the alternative SGI anonymous ftp site, sgigate.sgi.com,  can be accessed
to find the same files.  On each of these servers, patch 373 can be found
in the following directories:




                        ##### Checksums ####

The actual patch will be a tar file containing the following files:

Filename:                 patchSG0000373
Algorithm #1 (sum -r):    51249 1 patchSG0000373
Algorithm #2 (sum):       21641 1 patchSG0000373
MD5 checksum:             40A604013A05C2521152ED4B51C5D9A5

Filename:                 patchSG0000373.desktop_eoe_sw
Algorithm #1 (sum -r):    09134 88 patchSG0000373.desktop_eoe_sw
Algorithm #2 (sum):       63013 88 patchSG0000373.desktop_eoe_sw
MD5 checksum:             D74F9BDED3D51E9D28666CADF1B31945

Filename:                 patchSG0000373.idb
Algorithm #1 (sum -r):    50435 1 patchSG0000373.idb
Algorithm #2 (sum):       41363 1 patchSG0000373.idb
MD5 checksum:             790E9A47909BC32D8E9FCE14EA4077D8

- ------------------------------------
- --- Further Information/Contacts ---
- ------------------------------------

For obtaining security information, patches or assistance, please
contact your SGI support provider.

If there are questions about this document, email can be sent to
cse-security-alert at csd.sgi.com .

For reporting *NEW* SGI security issues, email can be sent to
security-alert at sgi.com .

=========================FORWARDED TEXT ENDS HERE=============================

CERT bulletins, CERT advisories, information about FIRST representatives, and
other information related to computer security are available for anonymous FTP
from info.cert.org. 

CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request at cert.org.

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the e-mail be
encrypted.  The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet E-mail: cert at cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

CERT is a service mark of Carnegie Mellon University.

More information about the NANOG mailing list