Patch-ID# 102023-03 Keywords: security, SunOS, 4.1.x, passwd, -F, root, race-condition Synopsis: SunOS 4.1.3: Root access possible via forced passwd race condition Date: Oct/28/94 Solaris Release: 1.0, 1.1 SunOS Release: 4.1.2, 4.1.3, 4.1.3C Unbundled Product: Unbundled Release: Xref: Patch 102060 is the 4.1.3_U1 version of this patch. Relevant Architectures: sparc BugId's fixed with this patch: 1169007 Changes incorporated in this version: Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: 4.1.4, 5.x Files included with this patch: /usr/bin/passwd Problem Description: This revision is issued to add 4.1.2 support. (from 102023-02) This revision is issued to correct installation instructions. The patch contents have not otherwise changed. (from 102023-01) 1169007: Security: Root access possible on SunOS 4.1.x via forced passwd race condition. Patch Installation Instructions: 1) Login as root. 2) Make a backup copy of the old file (if you have installed any other version of passwd, you may wish to save under another name): cp /usr/bin/passwd /usr/bin/passwd.fcs (It is important to use "cp" instead of "mv" for this because the same passwd program is actually stored under several hard-linked alias names and it is important to update them all.) 3) Change the permissions on the saved file to prevent its execution: chmod 400 /usr/bin/passwd.fcs 4) Copy in the patched file: cp `uname -r`/passwd /usr/bin/passwd 5) Set ownership & permissions: chown root /usr/bin/passwd chgrp staff /usr/bin/passwd chmod 4555 /usr/bin/passwd This patch restricts the use of the passwd command's -F option to root, unless the system administrator explicitly permits non-root users to use the option for specifically-identified alternate password files. If you wish to permit such use, set up a file called /etc/pwfiles containing a line for each full path you wish to allow non-root users to specify as an argument to the -F option. Lines in /etc/pwfiles which do not begin with a "/" character are treated as comments; this effectively allows non-root users to use only fully-specified paths with -F. The use of the /etc/pwfiles file in this way is analogous to the way the /etc/shells file is used by the passwd command to restrict the shells non-root users can set up for themselves (you can see the passwd man page for more information on the /etc/shells file). Unauthorized non-root use of the -F flag produces the message: passwd: -F may not be specified for file <-F arg>.