Note: This is an archival copy of Security Sun Alert 201291 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000973.1.
Article ID : 1000973.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-02-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in the Solaris 10 Loopback FileSystem (LOFS) May Allow Files in a Non-global Zone to be Moved or Renamed From a Read-Only Fileystem



Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6366432

Date of Resolved Release
01-FEB-2007

Impact

Local privileged users inside a non-global zone may be able to move or rename files which are part of a read-only mounted loopback file system (see lofs(7FS)). This filesystem may be shared with the global zone, which would result in the files being removed from the global zone also.  This can result in a Denial of Service (DoS) to the non-global zone and the global zone.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 118833-28

x86 Platform

  • Solaris 10 without patch 118855-28

Note: Solaris 8 and Solaris 9 are not impacted by this issue.

This issue only impacts systems which have non-global zones configured with the read-only LOFS root filesystem using the root filesystem of the global zone as the underlying filesystem.

To determine if a system is configured with non-global zones utilizing read-only loopback filesystems the following commands can be run from the global zone:

1. Display the name of the current zones on the system:

    $ zoneadm list -cv
ID NAME             STATUS         PATH
0 global           running        /
2 localzone1       running        /zones/localzone1
3 localzone2       running        /export/localzone2

2. Search the mounted file system table file (mnttab(4)) for read-only and loopback entries for the path to the non-global zones (as listed under the "PATH" heading above):

    $ egrep "(/zones/localzone1|/export/localzone2).*lofs.*ro"
/lib - /zones/localzone1/root/lib lofs - no ro,nodevices,nosub
/usr - /export/localzone2/root/usr lofs - no ro,nodevices,nosub

Any pathname which is found by the egrep(1) command is affected by this issue.


Symptoms

If this issue has been exploited, the user may notice files missing or moved out of the affected filesystem, either in the global zone or in the non-global zone. Services which depend on these files may no longer be available.


Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 118833-28 or later

x86 Platform

  • Solaris 10 with patch 118855-28 or later


References

118855-28
118833-36




Attachments
This solution has no attachment