Note: This is an archival copy of Security Sun Alert 200448 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000329.1.
Solaris 9 Operating System
Solaris 8 Operating System
Date of Resolved Release
A security vulnerability in the "/usr/ucb/ps" (see ps(1B)) command may allow unprivileged local users the ability to see environment variables and their values for processes which belong to other users.
This issue can occur in the following releases:
Note 1: Solaris 10 is not affected by this issue.
Note 2: The ps(1m) command is used for reporting process status. The full path for this command is "/usr/bin/ps". In addition, there is "/usr/ucb/ps" which is documented in the ps(1b) manual page. Only the "/usr/ucb/ps" command is affected by the vulnerability described in this Sun Alert.
In general users will use the "/usr/bin/ps" version as most will not have the directory "/usr/ucb" in their command search path (see the appropriate PATH section of relevant shell manual pages).
As an unprivileged user, running the "/usr/ucb/ps axe" command shows all processes, and with the "e" flags, it also includes their environment.
$ /usr/ucb/ps axe PID TT S TIME COMMAND ... 53 ? S 0:00 /usr/lib/devfsadm/devfseventd LD_LIBRARY_PATH= PATH=/sbin: /usr/sbin:/usr/bin TZ=GB-Eire _INIT_PREV_LEVEL=0 ...
In the example above we can see a root owned daemon, along with its environment variables and their values.
To work around the described issue, remove the set-id bit from "/usr/ucb/ps".
This issue is addressed in the following releases:
This solution has no attachment