Category
Security
Category
Availability
Release Phase
Resolved
ProductSolaris 10 Operating System
Bug Id
6602070
Date of Resolved Release13-DEC-2007
Impact
A security vulnerability exists for Solaris 10 systems with kernel patches 120011-04 or later (SPARC) and 120012-04 or later (x86) which are configured as NFS servers and grant root user access to remote clients. This vulnerability may allow root users on remote clients which are not authorized to access the shared file systems as root to also have root access to files shared by the NFS server.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform:
- Solaris 10 with patch 120011-04 or later and without patch 127111-05
x86 Platform:
- Solaris 10 with patch 120012-04 or later and without patch 127954-03
NOTE: Solaris 8 and 9 are not impacted by this issue.
A system is only impacted by this issue if both the following are true:
a) The system is acting as a NFS server, is sharing root access to remote clients using the "root=" option and is mounting the file systems either as read-only ("ro=" option) or as read-write ("rw=" option). See share_nfs(1M) for information on file system sharing options. To list all file systems shared by an NFS server, the '/usr/sbin/share' command may be used as in the following example:
$ share
/NFSTEST root=hostname ""
b) Either the 'ipnodes' OR the 'hosts' entry (OR both these entries) in /etc/nsswitch.conf have only "files" used to define the source. The following command may be executed to check these entries in /etc/nsswitch.conf:
$ egrep '^ipnodes|^hosts' /etc/nsswitch.conf
hosts: files nisplus dns [NOTFOUND=return] files
ipnodes: nisplus [NOTFOUND=return] files
Symptoms
There are no predictable symptoms that would indicate the described vulnerability has been exploited.
Workaround
A) To work around this issue, patch 120011-04 or later (SPARC) or patch 120012-04 or later (x86) may be removed using the patchrm(1M) command.
Note however that these patches cannot be removed on Solaris 10 8/07 systems, as they are part of the initial installation of Solaris 10 8/07.
B) Alternatively, this issue can be avoided by adding another name service for hosts and ipnodes in /etc/nsswitch.conf. For example:
$ egrep '^ipnodes|^hosts' /etc/nsswitch.conf
hosts: files nis
ipnodes: files nis
C) This issue can also be avoided by disabling the nscd(1M) daemon on the NFS server. Disabling the nscd daemon may slow responses to name service requests on the NFS server. The nscd daemon may be disabled by running the following command (as 'root' user):
# svcadm disable svc:/system/name-service-cache:default
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Solaris 10 with patch 127111-05 or later
x86 Platform
- Solaris 10 with patch 127954-03 or later
Modification History
Date: 14-DEC-2007
- Updated Contributing Factors section
Date: 21-DEC-2007
- Updated Impact and Contributing Factors sections for clarification
Date: 08-JAN-2008
References
127954-03
127111-05
AttachmentsThis solution has no attachment