Enchancements to SCO UNIX C2 Security
W. Paul Zola
paulz at sco.COM
Fri Feb 22 10:23:31 AEST 1991
chip at tct.uucp (Chip Salzenberg) writes:
}I'm sorry, but SCO C2 security is still a botch.
In article <43 at talgras.UUCP> david at talgras.UUCP (David Hoopes) writes:
}
}Not exactly, you can choose if you want C2 relaxed or not. There is still
}no way to get rid of it. I just spent a whole week wasted because of that
}C2 junk.
}
}I hate C2. I hate it alot.
}
I have good news for all those who have been having problems with
SCO's C2 Security. SCO Support has just released a Support Level
Supplement (SLS) which is designed to resolve many of these problems.
The supplement name is "The SCO UNIX System V/386 Release 3.2 Security
Supplement", and the SLS number is unx257. This SLS is availible
for anonymous UUCP via sosco, and through the usual support channels.
For those who are interested, I am enclosing an excerpt from the
cover letter which accompanies unx257. This excerpt should cover
the main features of unx257. I hope that people will find this
useful and informative.
-
Paul Zola Software Support Engineer
paulz at sco.COM
Gotta tend the earth if you want a rose. - Emily Saliers
DISCLAIMER: I speak for myself, and not for SCO.
################## cut here ################ cut here ##################
What does Support Level Supplement (SLS) unx257 contain?
RELEASE: SCO UNIX System V/386 Release 3.2 Operating System
SCO UNIX System V/386 Release 3.2 Operating System Version 2.0.
Open Desktop Release 1.0
SLS unx257 consists of one diskette that can be installed on SCO
UNIX System V/386 Release 3.2 Operating System, SCO UNIX System
V/386 Release 3.2 Operating System Version 2.0, and Open Desktop
Release 1.0. Release Notes and Manual pages that were shipped
with SLS unx257 are: ADDXUSERS(ADM); ASROOT(ADM); AUTHCK(ADM);
ALE(ADM); FIXMOG(ADM); RMUSER(ADM); PASSWDUPD(ADM); TTYUPD(ADM);
TCBCK(ADM); UNRETIRE(ADM); CRONTAB(C); PASSWD(C); LOGIN(M).
Features in SLS unx257
SLS unx257 includes the following features:
Enhanced crash recovery, including modifications to tcbck(ADM).
Command-line utilities, rmuser(ADM) and unretire(ADM), for removing,
retiring and unretiring users.
The utility, passwdupd(ADM), to create a user who was added to
/etc/passwd file manually.
A hushlogin feature in login(M) for suppressing copyright and other
messages during a login.
A new authck(ADM) -y flag that silently corrects any errors in the
subsystem database.
The utility, fixmog(ADM), to change the permissions of all files to match
their entries in the File Control database.
The utility, cps(ADM), for setting the permissions of individual files to
match their entries in the File Control database.
A locking utility, ale(ADM), that enables administrators to write scripts
that update the Authentication database.
The utility, ttyupd(ADM), that updates the Terminal Control database to
match /etc/inittab.
The utility, asroot(ADM) that allows an authorized user to run a defined
set of commands as superuser without the root password.
New semantics of PASSLENGTH in /etc/default/passwd that represent the
absolute minimum password length to be enforced by passwd(C).
Modifications to su(C)
- Instead of allowing a user to su to root only, users can su
to any account if they have the account password.
- The system can be configured to a C1 level of security so that
su transitions also transfer the authorizations of the account.
Other Improvements and Additions
SLS unx257 also includes the following improvements and additions.
Note: Unless otherwise stated the problems described below are present
in all the software environments specified earlier.
addxusers(ADM)
- Now handles a relative pathname for the name of the input file.
- Allows the passwords of newly added accounts to be changed if they
did not have aging information.
authck(ADM)
- Increased robustness to repair additional errors in the subsystem
database files.
sulogin(ADM)
- The LUID is now set under all circumstances.
- The gid is set to root's group as specified in /etc/passwd.
sysadmsh(ADM)
- The useshell helper program used by sysadmsh now displays
descriptive error messages.
login(C)
- Does not produce the 'cannot access Terminal Control database'
message when a large number of concurrent logins take place.
- The override shell spawned in emergencies now has its LUID set.
- All combinations of null passwords and PASSREQ work as documented.
- Use of an invalid username is now audited as <bad>.
passwd(C)
- Lockfiles are no longer left behind when setting a dial-up password.
su(C)
- No longer makes two entries in the sulog file each time it is used.
umask(C) preservation
- auths(C), su(C), newgrp(C), and at(C) now use the current value
of the user's umask rather than setting it to 077.
*********** Important Notes *************
(1) Because the sysadmsh System->Security->Relax selection edits system
default files that are then changed by system administrators, there
was no accurate way for utilities, such as rmuser(ADM), to determine
if the system had been relaxed. To indicate relaxed behavior, edit
the /etc/auth/system/default files and change the u_secclass field
from "c2" to "c1". NOTE: If you have a trusted system, do NOT change
this.
(2) login(M) and su(C) now start the shell with the supplemental group
list set. The supplemental group ID list is used in addition to the
effective group ID (EGID) in determining file access permissions. The
EGID is still used in file creation. The maximum number of groups in
the supplemental groups list is defined by the tunable kernel parameter
NGROUPS_MAX. It can be changed by running sysadmsh(ADM), selecting
System->Configure->Kernel->Parameters and selecting option 3,
"Files, Inodes, and Filesystems". The parameter is NGROUPS.
(3) login(M) and su(C) set the supplemental group list to the login GID
(from /etc/passwd), followed by successive groups (read from /etc/group),
of which the user is a member (excluding the login group). If a user is
listed as a member of a group more than once, the group ID will appear
more than once in the supplemental group list. When the list is full or
the end of the group file is reached, the supplemental group list is set.
This behavior is functionally equivalent to BSD's, except BSD uses a
fixed, instead of configurable, size list.
In SCO UNIX System V/386 Release 3.2, supplemental group lists may
only be set, they are not used in access decisions.
(4) The su(C) feature, allowing a user to gain the authorizations of another
account, has been implemented as a temporary solution which involves
changing the LUID of the su process. All audit records generated by that
process have the LUID of the su'ed user, not the original user. However,
the audit reduction program can produce an audit report with audit records
labeled with the correct LUID. Because this implementation can reduce the
integrity of audit data, this su feature is only enabled if the system is
relaxed (see below). The implementation of this feature will be changed
in a future release of the operating system.
Note that when su'ing from an account, that does not have the nopromain
subsystem authorization to an account that does, the shell started by su
will still be running in a promain.
(5) The new asroot(ADM) utility will also run a command with root
authorizations if the u_secclass field is set to "c1". Note that asroot
asks for the password corresponding to the LUID, not the RUID.
(6) In SCO UNIX System V/386 Release 3.2 Operating System Version 2.0, the
file /tcb/lib/setfiles is a nonfunctional utility; this SLS replaces it
with a link to /bin/false. This command has been superseded by the new
fixmog(ADM) utility.
(7) When using passwdupd(ADM) to add users to the system, always add lines at
the end of /etc/passwd.
(8) On-line copies of the new and replacement manual pages are added to your
system during installation.
(9) SLS unx257 contains new versions of /etc/profile and /etc/cshrc which
have been modified so that no messages are displayed during a hushlogin.
If the existing versions of these files have not been altered from the
original operating system versions, then the installation script over-
writes the old versions with the new versions. If changes have been
made, then the new versions are left in /etc/profile.hush and
/etc/cshrc.hush. The /etc/profile and /etc/cshrc files are sometimes
edited by a product's (such as ODT-DATA and ODT-DOS) installation script.
Then SLS unx257 will not overwrite these files and will put the new
version as /etc/profile.hush and /etc/cshrc.hush. If the files are not
overwritten, then you may want to incorporate the hushlogin changes into
your own versions manually, after the installation is complete.
More information about the Comp.unix.sysv386
mailing list