These recommendations are restricted to just those new files we find in Solaris 8:
- /usr/bin/pfexec f none 4555 root bin 6508 15149 947116796 SUNWcsu
This setuid root tool is new to Solaris 8. It's part of the "Core Solaris, (Usr)" (SUNWcsu) package. The manual page says:
The pfexec program is used to execute commands with the attributes specified by the user's profiles in the exec_attr(4) database. It is invoked by the profile shells, pfsh, pfcsh, and pfksh which are linked to the Bourne shell, C shell, and Korn shell, respectively.This seems to be a facility for granting fine grained access controls to users. Running pfsh or pfcsh seem to give me a useless shell -- probably because the two databases mentioned are trivial. I don't see any usage in any of the startup scripts in /etc/init.d. I did find a reference at SecurityFocus Inc. where the author recommends that you don't need it.Profiles are searched in the order specified in the user's entry in the user_attr(4) database. If the same command appears in more than one profile, the profile shell uses the first matching entry.
Recommendation: Drop the setuid -- wait until you discover an application that requires this.
- /usr/lib/fbconfig/SUNWifb_config f none 4555 root bin 99740 25218 944854900 SUNWifbcf
Another setuid root tool. This is part of the "Sun Expert3D (IFB) Graphics Configuration Software" (SUNWifbcf) package. The Manual page says:
SUNWifb_config configures the Sun Expert3D Graphics Accelerator and some of the X11 window system defaults for the graphics accelerator.On systems that don't have a glass console of the sort supported by this tool there's obviously no need for this. On systems that do have the graphics hardware I have a hard time believing that this tool needs to be run very often (if at all) by anyone other than the root user. Given the history of security problems with similar tools (there have been advisories wrt. the Kodak Color Management System) I can't see leaving this setuid root.Recommendation: Drop the setuid -- if you need to configure the graphics hardware su first.
- /usr/openwin/bin/sparcv9/kcms_configure f none 6755 root bin 31952 45773 942273275 SUNWkcsrx
This one is quite a surprise. There's already a /usr/openwin/bin/kcms_configure that's setuid so this can't be one of those ISA versions (unless they've inadvertently made an isaexec copy and needlessly marked it setuid). Package information explains things:
I suppose both might be required but would make the same observations -- you don't need this very often and when you do need it you should be root. You don't want arbitrary users mucking with this. Gosh, I seem to recall that you need special diagnostic devices to use this tool anyway.[3:45pm sun580] pkginfo SUNWkcsrt application SUNWkcsrt KCMS Runtime Environment [3:46pm sun580] pkginfo SUNWkcsrx application SUNWkcsrx KCMS 64 bit Runtime EnvironmentRecommendation: As before, drop the setuid -- if you need to configure the graphics hardware su first.
- /usr/platform/sun4u/sbin/prtdiag f none 2755 root sys 4512 22503 947118367 SUNWkvm
A setgid sys surprise. The manual page says "prtdiag displays system configuration and diagnostic information on sun4u and sun4d systems." That explains why we didn't see it on Solaris 7 -- we were reviewing a different hardware platform.
Recommendation: Drop the setgid -- if you need to use this then su first.
- /usr/sbin/afbconfig f none 4555 root bin 61508 19299 944695277 SUNWafbcf
Another setuid root tool for mucking with graphics hardware (the AFB Graphics Accelerator). This is part of the "Elite3D Graphics Configuration Software" (SUNWafbcf) package but I have the same recommendation.
Recommendation: Drop the setuid -- if you need to configure the graphics hardware su first.
- /usr/sbin/aspppls f none 4555 root bin 5584 20920 947116576 SUNWapppu
This is part of the "PPP/IP Asynchronous PPP daemon and PPP login service" (SUNWapppu) package. And that allows for IP connections over serial lines -- typically modems and the telephone. Certainly not required for anyone on the campus network. This looks like an optional package that should not be installed on servers.
Recommendation: Drop the setuid unless you actually need a PPP connection.
- /usr/sbin/ffbconfig f none 4555 root bin 58980 12585 944695292 SUNWffbcf
Another setuid root tool for mucking with graphics hardware (this time the FFB Graphics Accelerator). This is part of the "Creator Graphics Configuration Software" (SUNWffbcf) package. Same recommendation:
Recommendation: Drop the setuid -- if you need to configure the graphics hardware su first.
- /usr/sbin/igsconfig f none 4555 root bin 37260 36326 941496138 SUNWigsu
Another setuid root tool for mucking with graphics hardware (this time the IGS Graphics Adaptor). This is part of the "IGS CyberPro2010 DDX (OW) Driver and Utilities" (SUNWigsu) package. Same recommendation:
Recommendation: Drop the setuid -- if you need to configure the graphics hardware su first.
- /usr/sbin/m64config f none 4555 root bin 28388 54466 944595359 SUNWm64cf
Another setuid root tool for mucking with graphics hardware (this time the M64 Graphics Accelerator). This is part of the "M64 Graphics Configuration Software" (SUNWm64cf) package. Same recommendation:
Recommendation: Drop the setuid -- if you need to configure the graphics hardware su first.
- /usr/sbin/pgxconfig f none 4555 root bin 102904 64555 929538945 TSIpgxw
Another setuid root tool for mucking with graphics hardware (this time the PGX32 (Raptor GFX) Graphics Accelerator). This is part of the "PGX32 (Raptor GFX) X Window System Support" (TSIpgxw) package. Same recommendation:
Recommendation: Drop the setuid -- if you need to configure the graphics hardware su first.
The pfexec tool may be great solution for managing fine grained access to services. It may, until it's had some time in the market, be a security problem. While it's nice to see support for lots of display accelerators it's very dangerous to see all the setuid root tools for mucking with them. The prtdiag program is another needless instance of allowing all users access to kernel information. The support for dialup PPP is nice was well -- for those who need it -- but a needless security exposure for everyone else.
The cautious system manager should restrict access to these new tools by dropping the setuid on all of them -- none are required for the casual user. These additions are, in my opinion, an unwarranted risk. You can reduce your risk by using the Bourne Shell script that implements the recommendations made here and in the companion paper on Solaris 7.