Security flaw in either DIT TransferPro or Solaris

The Man (scott@LACKLUSTER.NET)
Mon, 05 Jan 1998 00:57:33 -0800

*sigh*

About a week ago I was looking around for a method to access my MO drive in
Solaris and found a program called TransferPro from a place called DIT.
I downloaded and installed the package, and just used tar to access the media
since I didn't really need it for much else. While fiddling with my MO drive,
I made a typo and accidentally specified /dev/rff0a as the tape device,
rather than rff5a, which was my MO. It horked my disk on target 0, and I had
to reinstall. I was *sure* that I was using tar as a normal user, so after
I reinstalled Solaris I investigated the permissions on what this TransferPro
package installed. It installs a device driver used for accessing the
removable media--ff is the name. All of the devices that it installs are
created with the permissions 0666. The ff driver works with normal disks, too,
and that's why I was able to screw up my disk on target 0. (For some reason
the tar also screwed up my disklabel, hence messing up the whole disk.)

Observe:

scott@tempe:~$ ls -l /devices/sbus\@1,f8000000/esp\@0,800000/ff\@0,0\:a,0,*
brw-rw-rw- 1 root sys 56, 0 Jan 4 23:53 /devices/sbus@1,f8000000/esp@0,800000/ff@0,0:a,0,blk
crw-rw-rw- 1 root sys 56, 0 Jan 4 23:53 /devices/sbus@1,f8000000/esp@0,800000/ff@0,0:a,0,raw

They should, of course, be mode 0640. I'm not sure if this is Solaris's fault
or the fault of this package. But no matter whose fault it is, it's quite
nasty. :)

I'm using Solaris 2.6.

Scott

--
Scott Smith
scott@lackluster.net

Mail received via UUCP, read with Mutt, and composed with vi on NetBSD-1.2G.