mailing list archives
Solaris2.5.1 dtlogin core
From: akjoele () SIUE EDU (Arve Kjoelen)
Date: Thu, 24 Jul 1997 16:40:54 -0500
We're running Solaris 2.5.1 CDE remotely from some FreeBSD boxes.
The other day, I noticed a mod 644 core file in the root directory of
the Solaris machine. adb said it was dtlogin which had died of
SIGSEGV. Doing a 'strings' on the file revealed not only the encrypted
password of a remote dt user, but also the UNENCRYPTED password.
Adding umask 077 to the beginning of /etc/init.d/dtlogin does nothing. to
prevent this. Also, dtlogin is not affected by the modifications
discussed here earlier to set the default umask for all daemons (create
/etc/rc?.d/S00rootusr.sh containing 'umask 077'). It looks as if dtlogin
explicitly sets its umask to 027. ('nm' on /usr/dt/bin/dtlogin does find
a reference to umask).
Temporary fix: create an empty /core file mod 400. All subsequent cores
will be created with these permissions.
In general, I think all programs that process passwords should overwrite
the unencrypted password immediately after calling crypt(). There is
no reason to keep the unencrypted password around in memory.
Secondly, but not as critically, it would be nice if the
encrypted/hashed passwords could also be overwritten after they're no longer
SunOS cerberus 5.5.1 Generic_103640-08 sun4u sparc SUNW,Ultra-1
Sys Admin, EE Dept.
Southern Illinois University - Edwardsville.
Re: CPSR 7: IRIX WWW Server Lamont Granquist (Jul 24)
Solaris2.5.1 dtlogin core Arve Kjoelen (Jul 24)
Sun Security Bulletin #00147 Aleph One (Jul 25)