Enchancements to SCO UNIX C2 Security

W. Paul Zola paulz at sco.COM
Fri Feb 22 10:23:31 AEST 1991 

chip at tct.uucp (Chip Salzenberg) writes:
}I'm sorry, but SCO C2 security is still a botch.

In article <43 at talgras.UUCP> david at talgras.UUCP (David Hoopes) writes:
}
}Not exactly, you can choose if you want C2 relaxed or not.  There is still
}no way to get rid of it.  I just spent a whole week wasted because of that
}C2 junk.  
}
}I hate C2.  I hate it alot.
}

I have good news for all those who have been having problems with 
SCO's C2 Security.  SCO Support has just released a Support Level
Supplement (SLS) which is designed to resolve many of these problems.
The supplement name is "The SCO UNIX System V/386 Release 3.2 Security
Supplement", and the SLS number is unx257.  This SLS is availible 
for anonymous UUCP via sosco, and through the usual support channels.

For those who are interested, I am enclosing an excerpt from the 
cover letter which accompanies unx257.   This excerpt should cover
the main features of unx257.  I hope that people will find this 
useful and informative.  

-
Paul Zola			Software Support Engineer 
				paulz at sco.COM 
Gotta tend the earth if you want a rose.  - Emily Saliers
    DISCLAIMER: I speak for myself, and not for SCO.

################## cut here ################ cut here ##################


What does Support Level Supplement (SLS) unx257 contain?


RELEASE:  SCO UNIX System V/386 Release 3.2 Operating System 
          SCO UNIX System V/386 Release 3.2 Operating System Version 2.0.  
	  Open Desktop Release 1.0


          SLS unx257 consists of one diskette that can be installed on SCO 
	  UNIX System V/386 Release 3.2 Operating System, SCO UNIX System 
	  V/386 Release 3.2 Operating System Version 2.0, and Open Desktop 
	  Release 1.0.  Release Notes and Manual pages that were shipped 
	  with SLS unx257 are:  ADDXUSERS(ADM); ASROOT(ADM); AUTHCK(ADM); 
	  ALE(ADM); FIXMOG(ADM); RMUSER(ADM); PASSWDUPD(ADM); TTYUPD(ADM);
	  TCBCK(ADM); UNRETIRE(ADM); CRONTAB(C); PASSWD(C); LOGIN(M).
	  

Features in SLS unx257

SLS unx257 includes the following features:

  Enhanced crash recovery, including modifications to tcbck(ADM).

  Command-line utilities, rmuser(ADM) and unretire(ADM), for removing, 
  retiring and unretiring users. 

  The utility, passwdupd(ADM), to create a user who was added to 
  /etc/passwd file manually. 

  A hushlogin feature in login(M) for suppressing copyright and other 
  messages during a login.

  A new authck(ADM) -y flag that silently corrects any errors in the 
  subsystem database.

  The utility, fixmog(ADM), to change the permissions of all files to match 
  their entries in the File Control database. 

  The utility, cps(ADM), for setting the permissions of individual files to 
  match their entries in the File Control database.

  A locking utility, ale(ADM), that enables administrators to write scripts 
  that update the Authentication database. 

  The utility, ttyupd(ADM), that updates the Terminal Control database to 
  match /etc/inittab. 

  The utility, asroot(ADM) that allows an authorized user to run a defined 
  set of commands as superuser without the root password. 

  New semantics of PASSLENGTH in /etc/default/passwd that represent the 
  absolute minimum password length to be enforced by passwd(C).

  Modifications to su(C) 

	- Instead of allowing a user to su to root only, users can su 
	  to any account if they have the account password.

	- The system can be configured to a C1 level of security so that 
	  su transitions also transfer the authorizations of the account.


Other Improvements and Additions

  SLS unx257 also includes the following improvements and additions. 
  Note: Unless otherwise stated the problems described below are present 
  in all the software environments specified earlier.

  addxusers(ADM)

  	- Now handles a relative pathname for the name of the input file.

  	- Allows the passwords of newly added accounts to be changed if they 
  	  did not have aging information.

  authck(ADM)

	- Increased robustness to repair additional errors in the subsystem 
	  database files.

  sulogin(ADM)

	- The LUID is now set under all circumstances.

	- The gid is set to root's group as specified in /etc/passwd.

  sysadmsh(ADM)

	- The useshell helper program used by sysadmsh now displays 
	  descriptive error messages.


  login(C)

	- Does not produce the 'cannot access Terminal Control database' 
	  message when a large number of concurrent logins take place.

	- The override shell spawned in emergencies now has its LUID set.

	- All combinations of null passwords and PASSREQ work as documented.

	- Use of an invalid username is now audited as <bad>.

  passwd(C)

	- Lockfiles are no longer left behind when setting a dial-up password.

  su(C)

	- No longer makes two entries in the sulog file each time it is used.


  umask(C) preservation

	- auths(C), su(C), newgrp(C), and at(C) now use the current value 
	  of the user's umask rather than setting it to 077.


	   ***********  Important Notes  *************


(1)  Because the sysadmsh System->Security->Relax selection edits system 
     default files that are then changed by system administrators, there 
     was no accurate way for utilities, such as rmuser(ADM), to determine 
     if the system had been relaxed.  To indicate relaxed behavior, edit 
     the /etc/auth/system/default files and change the u_secclass field 
     from "c2" to "c1".  NOTE: If you have a trusted system, do NOT change 
     this.
  
(2)  login(M) and su(C) now start the shell with the supplemental group 
     list set.  The supplemental group ID list is used in addition to the 
     effective group ID (EGID) in determining file access permissions.  The
     EGID is still used in file creation. The maximum number of groups in 
     the supplemental groups list is defined by the tunable kernel parameter 
     NGROUPS_MAX.  It can be changed by running sysadmsh(ADM), selecting
     System->Configure->Kernel->Parameters and selecting option 3, 
     "Files, Inodes, and Filesystems".  The parameter is NGROUPS.
  
(3)  login(M) and su(C) set the supplemental group list to the login GID 
     (from /etc/passwd), followed by successive groups (read from /etc/group), 
     of which the user is a member (excluding the login group).  If a user is 
     listed as a member of a group more than once, the group ID will appear 
     more than once in the supplemental group list.  When the list is full or 
     the end of the group file is reached, the supplemental group list is set.
     
     This behavior is functionally equivalent to BSD's, except BSD uses a 
     fixed, instead of configurable, size list.
  
     In SCO UNIX System V/386 Release 3.2, supplemental group lists may 
     only be set, they are not used in access decisions.
  
(4)  The su(C) feature, allowing a user to gain the authorizations of another 
     account, has been implemented as a temporary solution which involves 
     changing the LUID of the su process.  All audit records generated by that
     process have the LUID of the su'ed user, not the original user.  However, 
     the audit reduction program can produce an audit report with audit records 
     labeled with the correct LUID.  Because this implementation can reduce the 
     integrity of audit data, this su feature is only enabled if the system is 
     relaxed (see below).  The implementation of this feature will be changed 
     in a future release of the operating system.
  
     Note that when su'ing from an account, that does not have the nopromain 
     subsystem authorization to an account that does, the shell started by su 
     will still be running in a promain.
  
(5)  The new asroot(ADM) utility will also run a command with root
     authorizations if the u_secclass field is set to "c1".  Note that asroot 
     asks for the password corresponding to the LUID, not the RUID.
  
(6)  In SCO UNIX System V/386 Release 3.2 Operating System Version 2.0, the 
     file /tcb/lib/setfiles is a nonfunctional utility; this SLS replaces it 
     with a link to /bin/false.  This command has been superseded by the new 
     fixmog(ADM) utility.

(7)  When using passwdupd(ADM) to add users to the system, always add lines at 
     the end of /etc/passwd.
  
(8)  On-line copies of the new and replacement manual pages are added to your 
     system during installation.
  
(9)  SLS unx257 contains new versions of /etc/profile and /etc/cshrc which 
     have been modified so that no messages are displayed during a hushlogin.  
     If the existing versions of these files have not been altered from the 
     original operating system versions, then the installation script over-
     writes the old versions with the new versions.  If changes have been 
     made, then the new versions are left in /etc/profile.hush and 
     /etc/cshrc.hush.  The /etc/profile and /etc/cshrc files are sometimes 
     edited by a product's (such as ODT-DATA and ODT-DOS) installation script.
     Then SLS unx257 will not overwrite these files and will put the new 
     version as /etc/profile.hush and /etc/cshrc.hush.  If the files are not 
     overwritten, then you may want to incorporate the hushlogin changes into 
     your own versions manually, after the installation is complete.

More information about the Comp.unix.sysv386 mailing list