Note: This is an archival copy of Security Sun Alert 200791 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000606.1.
Article ID : 1000606.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-12-09
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

The pfexec(1) Command May Execute a "Profile" Command With Additional Privileges



Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 8 Operating System

Bug Id
4925561

Date of Resolved Release
29-JAN-2004

Impact

A local unprivileged user with a custom rights profile (see profiles(1)) may be able to execute a profile command with greater privileges than originally assigned, if the execution profiles database (exec_attr(4)) contains an invalid entry for that custom rights profile.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 109007-15
  • Solaris 9 without patch 116237-01

x86 Platform

  • Solaris 8 without patch 109008-15
  • Solaris 9 without patch 116238-01

Notes:

  1. Solaris 7 is not affected by this issue.
  2. The modification of the exec_attr(4) file requires "root" privileges.

The pfexec(1) program is used to execute commands with the attributes specified by the user's profiles in the exec_attr(4) database. A user must be part of an execution profile in addition to the default profiles of "Basic Solaris User" and "All". A user can determine which profiles they are part of by running the profiles(1) command, as in this example:

    % profiles
Basic Solaris User
All

Symptoms

There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized elevated privileges on a host.


Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 109007-15 or later
  • Solaris 9 with patch 116237-01 or later

x86 Platform

  • Solaris 8 with patch 109008-15 or later
  • Solaris 9 with patch 116238-01 or later


Modification History

References

116237-01
116238-01
109007-15
109008-15




Attachments
This solution has no attachment