mailing list archives
Re: Solaris 2.6/7 NTP permissions problem
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Fri, 16 Jul 1999 23:03:53 +0200
I reported this bug to Sun approx. 3 weeks ago. Haven't gotten a
response yet so I'm going ahead and releasing it.
I've noticed that the XNTP daemon on Solaris 2.6 and 7 creates
its drift file (default=/etc/inet/ntp.drift) world-writable (666).
Even changing the permissions to something sane the permissions
eventually get set back to 666 (not sure if this is at daemon restart,
update of the drift file or both).
There's not a whole lot you can do with this hole, though. xntp will
use it as a hint on how good the local clock is but will put only limited
trust in it. (You could copy a big file there, but again, that file
A standard default umask of 022 for all programs or xntpd would fix this.
In the next release, the default umask will likely be 022
What also helps is:
setfacl -m d:u::7,d:m:5,d:g::5,d:o:5 /etc/inet
Which forces all files created in the directory to have mode 644 or 755.
The solaris FAQ says:
3.50) How can I prevent daemons from creating mode 666 files?
By default, all daemons inherit the umask 0 from init.
This is most problematic for a service like ftp, which in a
standard configuration leaves all uploaded files with mode 666.
To get daemons to use another umask execute the following
commands in /bin/sh and reboot:
umask 022 # make sure umask.sh gets created with the proper mode
echo "umask 022" > /etc/init.d/umask.sh
for d in /etc/rc?.d
ln /etc/init.d/umask.sh $d/S00umask.sh
Note: the trailing ".sh" of the scriptname is important, if
you don't specify it, the script will will be executed in a
sub-shell, not in the main shell that executes all other scripts.
In Solaris 2.6 and later, in.ftpd(1M) allows setting its umask
--- end of excerpt from the FAQ
Questions marked with a * or + have been changed or added since
the FAQ was last posted
The most recently posted version of the FAQ is available from
[LoWNOISE] Lotus Domino ET LoWNOISE (Jul 10)
- Re: L0pht 'Domino' Vulnerability is alive and well, (continued)