UnixWorld Online: Tutorial Article No. 003

How to Improve Security on a Newly Installed SunOS 4.1.3 System

By Thomas M. Kroeger and Braden W. Carter

Questions regarding this article should be directed to the authors at tmk@cse.ucsc.edu or bwcarter@cse.ucsc.edu

We'd like this document to remain current and evolve to become even more useful to the Unix community. Please send Solaris 1.1 and 1.1.1 security tips not covered here, along with any necessary pointers or references to beccat@wcmh.com. We will include those we judge suitable along with a credit for the contributor.


Our goal is to provide some of the more basic steps that you can do to improve security on a newly installed SunOS 4.1.3 (Solaris 1.1 or 1.1.1) system. Disclaimer: This is by no means an all-inclusive list of actions, just some of the simple and more common measures. These recommendations come with no guarantees!

The intended audience is anyone responsible for the system administration duties of a machine running SunOS 4.1.3. These recommendations are applicable to a stand-alone workstation, which may be connected to a larger network. It is assumed that the reader has some familiarity with basic Unix system administration. (You should be able to do a basic system installation by yourself, install patches, and use an editor).

Please note that this list limits its coverage to measures that can be done for a stand-alone workstation. In addition to the steps listed here, there are many measures that can be taken to improve the security of an environment. For example, filtering traffic to port 2049/udp at the routers will prevent NFS calls from outside your domain. Such measures, while extremely helpful, can be quite specific to individual system needs and can become quite involved. A proper coverage of these issues would warrant a book, not a short write up. More detailed coverage of these measures can be found in Reference 2.

The truly paranoid may wish to implement these recommendations while in single user mode, as an extra measure of security to avoid possible subversive shenanigans by a wily cracker.

Steps to Improve Security

Patches to Install

4.1.3 Security listing

100103 SunOS 4.1;4.1.1;4.1.2;4.1.3: script to change file permissions
100173 SunOS 4.1.1/4.1.2/4.1.3 : NFS Jumbo Patch
100224 SunOS 4.1.1,4.1.2,4.1.3: /bin/mail jumbo patch *
100257 SunOS 4.1.1;4.1.2;4.1.3: jumbo patch for ld.so, ldd, and ldconf
100272 SunOS 4.1.3: Security update for in.comsat.
100296 SunOS 4.1.1, 4.1.2, 4.1.3: netgroup exports to world
100305 SunOS 4.1.1, 4.1.2, 4.1.3: lpr Jumbo Patch
100372 SunOS 4.1.1;4.1.2;4.1.3: tfs and c2 do not work together
100377 SunOS 4.1.1, 4.1.2, 4.1.3: sendmail jumbo patch
100383 SunOS 4.0.3;4.1;4.1.1;4.1.2;4.1.3: rdist security and hard link *
100448 OpenWindows 3.0: loadmodule is a security hole.
100452 OpenWindows 3.0: XView 3.0 Jumbo Patch
100478 OpenWindows 3.0: xlock crashes leaving system open
100482 SunOS 4.1;4.1.1;4.1.2;4.1.3: ypserv and ypxfrd fix, plus DNS fix *
100507 SunOS 4.1.1, 4.1.2, 4.1.3: tmpfs jumbo patch
100513 SunOS 4.1.1;4.1.2;4.1.3: Jumbo tty patch
100564 SunOS 4.1.2, 4.1.3: C2 Jumbo patch
100593 SunOS 4.1.3: Security update for dump. *
100623 SunOS 4.1.2;4.1.3: UFS jumbo patch
100630 SunOS 4.1.1, 4.1.2, 4.1.3: SECURITY: methods to exploit login/su
100631 SunOS 4.1.x: env variables can be used to exploit login(US only)
100632 SunSHIELD 1.0: ARM jumbo patch release *
100890 SunOS 4.1.3: domestic libc jumbo patch
100891 SunOS 4.1.3: international libc jumbo patch
100909 SunOS 4.1.1;4.1.2;4.1.3: Security update for syslogd.
101072 SunOS 4.1.1;4.1.2;4.1.3: Non-related data filled the last block
101080 SunOS 4.1.1 4.1.2 4.1.3: security problem with expreserve
101200 SunOS 4.1.1, 4.1.2, 4.1.3: Breach of security using modload
101206 ODS 1.0; NFS/fsirand security fix.
101480 SunOS 4.1.1;4.1.2;4.1.3: Security update for in.talkd. *
101482 SunOS 4.1.3, 4.1.2, 4.1.1: Security update for write. *
101640 SunOS 4.1.3: in.ftpd logs password info when -d option is used.
102023 SunOS 4.1.3: Root access possible via forced passwd race condition
101710 ONLINE DISKSUITE (ODS) 1.0: Security update for dump.
4.1.3_UI Security listing

101434 SunOS 4.1.3_U1: lpr Jumbo Patch
101435 SunOS 4.1.3_U1: ypserv fix *
101436 SunOS 4.1.3_U1: bin/mail jumbo patch *
101440 SunOS 4.1.3_U1: security problem: methods to exploit login/su
101558 SunOS 4.1.3_U1: international libc jumbo patch
101579 SunOS 4.1.3_U1: Security problem with expreserve for Solaris 1. *
101587 SunOS 4.1.3_U1: security patch for mfree and icmp redirect
101590 ONLINE DISKSUITE (ODS) 1.0, NFS/fsirand security fix
101621 SunOS 4.1.3_U1: Jumbo tty patch
101665 SunOS 4.1.3_U1: sendmail jumbo patch *
101679 SunOS 4.1.3_U1: Breach of security using modload
101759 SunOS 4.1.3_U1: domestic libc jumbo patch

* Some patches may not be required if you are disabling this feature. If this is the case, ensure that all relevant files have had their mode changed to remove the set-user-ID bit with chmod u-s <file>.

Please also note that some patches may not necessarily apply, based on packages installed (US Encryption...) or your configuration. Carefully check the README file for each patch.

Patches are available via anonymous FTP from ftp://ftp.uu.net/systems/sun/sun-dist/.

Back to the Index of Steps.

Network Changes

Kernel Changes

Return to the Index of Steps.

File system Changes

ID Management Changes

Mail System Modifications

The sendmail program itself has been notorious for numerous bugs that can give crackers root access illegitimately. This is a huge topic and should be a paper or book in itself. We claim no expertise here. ;-) Even so, there are several different possible configurations and options that will be outlined before we point you to further references.

Host configuration:
  1. If you intend to send and receive mail directly on your machine, your options are to:
    • live with sendmail by installing the newest version, following a few guidelines, or
      • Ensure a mail file is always in existence for all users. Reference 10 and Reference 11
      • chmod u-s /bin/mail and change sendmail to use "procmail" or mail.local. Reference 17
      • Change sendmail default user-ID in sendmail.cf to 65534.
      • Turn on security features of sendmail, including
        Opauthwarnings  needmailhelo  noexpn  novrfy  restrictmailq
        Reference 2 and Reference 9

    • install Zmailer. Reference 8
      Zmailer does not use the /bin/mail program so chmod u-s /bin/mail.
  2. If your mail delivery is handled by another host then your system should only need to support outgoing mail. To prevent the sendmail daemon from being started, comment out the line(s) in /etc/rc.local that invoke sendmail. For outgoing mail,
    • install latest version of sendmail, or
      • see previous comments in this section for things to change in sendmail config,
      • chmod u-s /bin/mail, since mail delivery is being handled by main mail host there is no need for /bin/mail to be set-user-ID.
    • install Zmailer. Reference 8
      Zmailer does not use /bin/mail so chmod u-s /bin/mail.
  3. No need for mail whatsoever on this machine--incoming, outgoing, or internal. This is certainly the most secure mode because e-mail will not be able to be sent from or to this machine. This basic restriction of outside access will prevent abuse of that service.
    To disable mail totally,
    • chmod u-s /usr/lib/sendmail /usr/lib/sendmail.mx /bin/mail
    • comment out the line(s) in /etc/rc.local that invoke Sendmail.
Back to the Index of Steps.

Packages for Better Security and Monitoring

Note: the Australian group SERT (Reference 18) has put together a package named MegaPatch that includes several of these packages as well as many of the patches to SunOS previously mentioned.

Back to the Index of Steps.


[1] Dan Farmer & Wietse Venema, "Improving the security of your Site by Breaking Into it", 1993. (ftp://ftp.win.tue.nl:/pub/security/admin-guide-to-cracking.Z)

[2] W. Cheswick & S. Bellovin, "Firewalls and Internet Security", Addison-Wesley, April 94.

[3] H. Stern, "Managing NFS & NIS", O'Reilly & Associates, April 92.

[4] Wietse Venema, "TCP WRAPPER: Network monitoring, access control and booby traps" (ftp://ftp.win.tue.nl/pub/security/tcp_wrapper.ps.Z), Proceedings of the Third Usenix Unix Security Symposium, pg. 85-92. (text version) ( tcp wrapper package -- look for most recent version of tcp_wrappers_*.shar.Z)

[5] Eric Oliver, "How to shadow without C2 Auditing", June 94. (ftp://ftp.hawaii.edu/pub/security/docs/shadow.wo.audit.4.1.3)

[6] [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX

[7] Proactive password changing programs (passwd+, npasswd) (There are several this is the only one who's URL I had available) anlpasswd (look for most recent version of anlpasswd-*.tar.Z), passwdd (look for the most recent version of passwdd-*.tar.Z)

[8] Zmailer package, and the README file (ftp://cs.toronto.edu/pub/zmailer/)

[9] Bryan Costales, Eric Allman, and Neil Rickert, "Sendmail", O'Reilly & Associates, June 93.

8lgm advisories are available though the 8lgm file server at 8lgm-fileserver@bagpuss.demon.co.uk. Please note that you must include information about which advisory you want. To get instructions, include the word help in the message body.

[10] [8lgm]-Advisory-5.UNIX.mail.24-Jan-1992
[11] [8lgm]-Advisory-5.UNIX.mail.24-Jan-1992.PATCH
[12] [8lgm]-Advisory-6.UNIX.mail2.2-May-1994

[13] Gene Kim & Gene Spafford Tripwire, 1994. (ftp://coast.cs.purdue.edu/pub/Purdue/papers/spafford/Tripwire.ps.Z)

[14] Dan Farmer & Gene Spafford Cops, 1990. (ftp://ftp.cert.org/pub/tools/cops/)

[15] Wietse Venema portmapper, login, rshd, rlogind portmap, logdaemon (ftp://ftp.win.tue.nl/pub/security/)

[16] Safford et. al. TAMU tiger script, 1993. (ftp://net.tamu.edu/pub/security/TAMU/)

[17] Local mail delivery agents including procmail, mail.local (by Joerg Czeranski). (ftp://ftp.informatik.rwth-aachen.de/pub/packages/)

[18] SERT's MegaPatch (ftp://ftp.sert.edu.au/security/tools/)

[19] Source Routing Patch (ftp://ftp.greatcircle.com/pub/firewalls/digest/v03.n153.Z)

[20] Crack (ftp://ftp.uu.net/usenet/comp.sources.misc/volume28/crack)

[21] CERT Advisory CA-94:01 (ftp://ftp.cert.org/pub/cert_advisories/CA-94:01.ongoing.network.monitoring.attacks)

[22] Simson Garfinkel and Gene Spafford "Practical Unix Security", O'Reilly & Associates, June 1991.

[23] "xinetd-2.1.2" ("ftp://unix.hensa.ac.uk/pub/uunet/published/oreilly/nutshell/miis/xinetd-2.1.2.tar.gz)

Back to the Index of Steps.

Technical Note

We felt that this item was not really directed toward our targeted audience, yet still worth mention:

Customizing ruserok(3)

If you have source license to 4.1.3, modify the routine ruserok(3) to return -1 for the cases you wish to disallow. To disable .rhosts authentication entirely, simply have this routine return -1. Look at the /usr/lib/shlib.etc/README file for how to modify libc.so.
Note to also make the following changes:
  • In the file /usr/lib/shlib.etc/README below the line:
    % mv rpc_commondata. rpc_commondata.o

    % mv xccs.multibyte. xccs.multibyte.o

  • In the Makefile, change the lines below to read as they do here.
  • Add the -ldl option at the end of both ld command lines.
More Info
ruserok(3), hosts.equiv(5) source code file /lib/libc/net/rcmd.c Reference 4, Reference 15

Back to the Index of Steps.


Thanks to all the people in comp.security.unix who offered their suggestions, and thanks to the following people for their kind review:

spaf@cs.purdue.edu (Gene Spafford)
rgoodman@uhunix.uhcc.hawaii.edu (Becky Goodman)
andys@unipalm.co.uk (Andy Smith)
Back to the Index of Steps.

Thomas M. Kroeger (tmk@cse.ucsc.edu) / Braden W. Carter (bwcarter@cse.ucsc.edu)

Copyright © 1995 by Thomas M. Kroeger and Braden W. Carter. All Rights Reserved.
Feel free to redistribute or include this list or parts of it wherever you desire, but please include appropriate citation.
Copyright © 1995 The McGraw-Hill Companies, Inc. All Rights Reserved.
Edited by Becca Thomas / Online Editor / UnixWorld Online / beccat@wcmh.com

[Go to Content] [Search Editorial]

Last Modified: Wednesday, 23-Aug-95 16:01:46 PDT