SUMMARY: 4.1.2 patches, and blocking NFS/NIS at the gateway

From: Christopher Davis (ckd@eff.org)
Date: Mon Feb 17 1992 - 01:18:56 CST


[I have BCC:ed all respondents, so if you get two copies, that's why;
one's from me directly, and one's from the list.]

Sorry this is so late; we decided that actually getting the machines up
and running would have to take priority over the summary for
sun-managers, at least for a little while.

The first section describes what we wound up doing here; not all of the
things we did will apply to everybody's sites, but that's the nature of
the beast.

After that is the full summary, and acknowledgments.

[Many thanks to the people who decoded my fumbling and responded on the
issues of both NFS and NIS; I meant both, but I said NFS, then talked
about port 111, which would affect NIS, not NFS...]

What We Did:

Well, first we installed it off of the CD-ROM, so that we'd have all the
optional tools (SysV, et. al). Since we don't use NIS, we installed all
the systems standalone, planning to make dataless clients of the smaller
workstations (ELCs and IPX). We decided to make a customized /usr
partition which could be distributed by Exabyte to each of the machines,
with later additions going on an NFS-mounted "local" tree (separate from
/usr/local/{bin,lib,etc}).

Before they even went on the net, we did the following:

 - removed /etc/hosts.equiv
 - removed the YP entries from /etc/passwd and /etc/groups
 - *-ed out the "sync" account's password
 - blocked 2049/udp traffic at our cisco [we hadn't been using NFS
   before]

We then applied patches 100103-10 (file permissions), 100296-02 (too-long
exports lines), and 100383-03 (rdist) which didn't make it into 4.1.2.
We're not using OpenWindows, so those patches weren't necessary, either
(100184 for OW2.0, or 100448 for OW3.0).

/etc/rc.local needed some work; we fixed the "chmod 666 /etc/motd" and
hardwired the correct, all-ones broadcast address.

Other "fixes": /usr/ucb/whois to connect to nic.ddn.mil instead of
sri-nic.arpa; we made a resolving libc.so (after adding -ldl to the
makefile in /usr/lib/shlib.etc); we removed Sun's sendmail and
sendmail.mx, replacing them with UIUC-IDA 5.65c+1.4.4.1; and we compiled
a fair amount of "critical" local software to go in the standard /usr
partition, including X11R5, perl, and emacs.

We were already using the log_tcp package on our current machines and
are adding it to the new machines as well.

If we ever go to NIS, we will probably use Alain Brossard's patched
ypserv, which allows you to control who gets your password maps and the
like. It's available from ltisun.epfl.ch. (Sun may also release a
similarly patched ypserv before SunOS 5.0, or they may not...)

The Replies:
[I have edited out responses that only said "please summarize" and
paraphrased for brevity in some cases. Paraphrases and editorial
additions are marked by [brackets].]
================
From: ivan@durras.anu.edu.au (Ivan Dean)

I'm pretty sure that the permissions patch 100103-10 is still required. I did
receive your first request, did you receive this message, it may be useful -
[reference to list of bugs fixed in 4.1.2 available for anonymous ftp as
smaug.cs.hope.edu:/pub/sunos-4.1.2-bugfixes.Z deleted]
================
From: Fuat Baran <fuat@ans.net>

tcp_wrapper (tcpw) from cert.sei.cmu.edu is nice.

>Also, what ports need to be blocked on a cisco to stop NFS traffic
>in/out of a network? I understand that blocking 111 (portmapper) alone
>won't do the job.

2049 for NFS. The yp daemons pick random ports so if you block the
portmapper (111) you make it hard but not impossible for someone to
find the services. Depending on how paranoid you are you might want
to block everything except a list of acceptable ports as opposed to
blockng specific ones. Your call.
================
From: casper@fwi.uva.nl (Casper H.S. Dik)

NFS can be blocked by blocking 2049/udp.

We have only applied the rdist patch (and removed /etc/hosts.equiv)
You migh also want to take al llok at 4.1.1secure.sh. Not
all the chown/chmodsin the most recent version of that patch
are included in 4.1.2 (specifically, you might want to do chmod g-s
/usr/kvm/crash)
================
From: cordis1_490!gls ( Gary Schaps x2157)

Current patch list for 4.1.2. (1/31/92)
 

     1 100303-02 SunOS 4.1;4.1.1;4.1.2: system freezes using loopback interface
     2 100359-04 SunOS 4.1;4.1.1;4.1.2: streams jumbo patch
     3 100407-03 SunOS 4.1;4.1.1; 4.1.2: accounting files are corrupted when commands run as nobody
     4 100431-02 SunOS4.1.1;4.1.2: Performance improvements for GT using PHIGS and XGL
     5 100458-01 SunOS 4.1;4.1.1;4.1.2: Setitimer sometimes fails to deliver a SIGALRM.
     6 100469-01 SunOS 4.1.1;4.1.2: cdrom mount error messages
     7 100474-01 SunOS 4.1.2: Assertion Failure on 1.3GB Elite Drive
     8 100475-01 SunOS 4.1.2: mmap system call on galaxy causes BAD TRAP

[I believe a ninth and possibly tenth have been added now --ckd]
================
From: "(Alain Brossard EPFL-SIC/SII)" <brossard@sasun1.epfl.ch>

        There is the patch for ypser which I distributed which
Sun isn't distributing officialy yet (though they have blessed its
use).

[Sun is apparently working on something also]
[list referred to above of patches that *are* in 4.1.2 deleted]
================
From: steve@uunet.uu.net (Steve D. Miller)

   Curiously enough, Shaun and I here plugged into the Online Bugs Database
the other day, and I don't believe that the latest rdist patch was listed
under the 4.1.2 section, at least. I'd still install it just to be sure;
after all, how many non-security-related bug fixes was Sun likely to have
made in rdist between 4.1.1 and 4.1.2? (-:

   If you block port 111 and port 2049, you should be fairly safe in terms
of NFS traffic. It's possible to run NFS on different ports, but you'd
have to work at it, I believe, to make that happen on your end (and even
then, I'd be moderately surprised if changing ports didn't break lots of
things).
================
From: Mike Raffety <miker@sbcoc.com>

> Also, what ports need to be blocked on a cisco to stop NFS traffic
> in/out of a network? I understand that blocking 111 (portmapper) alone
> won't do the job.

My understanding is that you have to block ALL UDP traffic, since a
more-or-less random port number is used.
================
From: "(Alain Brossard EPFL-SIC/SII)" <brossard@sasun1.epfl.ch>

        I've already replied to your first message, but I
have some more information:

sunos 4.1.2 any 100303-02 SunOS 4.1;4.1.1;4.1.2: system freezes using loopback interface
sunos 4.1.2 any 100359-04 SunOS 4.1;4.1.1;4.1.2: streams jumbo patch
sunos 4.1.2 any 100407-03 SunOS 4.1;4.1.1; 4.1.2: accounting files are corrupted when commands run as nobody
sunos 4.1.2 any 100431-02 SunOS4.1.1;4.1.2: Performance improvements for GT using PHIGS and XGL
sunos 4.1.2 any 100458-01 SunOS 4.1;4.1.1;4.1.2: Setitimer sometimes fails to deliver a SIGALRM.
sunos 4.1.2 any 100469-01 SunOS 4.1.1;4.1.2: cdrom mount error messages
sunos 4.1.2 any 100474-01 SunOS 4.1.2: Assertion Failure on 1.3GB Elite Drive
sunos 4.1.2 any 100475-01 SunOS 4.1.2: mmap system call on galaxy causes BAD TRAP
================
From: john@mlb.semi.harris.com (John M. Blasik)

I got sun to admit this about security patches.
They say they are looking into it.
i thik i'll call em up today and nag em some more!

FIXED in 4.1.2
100075 - lockd
100125 - telnet
100173 - NFS jumbo
100188 - TIOCCONS
100244 - mail/rmail
100251 - expressav
100305 - lpr/lpd

NOT FIXED in 4.1.2

100100 - sendmail [I think this was fixed in 4.1.1? --ckd]
100103 - file perms
100184 - sv_xv_sel_svc
100185 - motd in /etc/rc.local ?
100296 - exports line > 255
100383 - rdist

MAY OR MAY NOT BE FIXED IN 4.1.2!
100376 - sparc integer division [this is in the list of things fixed --ckd]

there is also a NEW one in OPENWIN 3.0

100448 - loadmodule
================
From: gds@la.TIS.COM (Greg Skinner)
To: ckd@eff.org

>Also, what ports need to be blocked on a cisco to stop NFS traffic
>in/out of a network?

Here's ours:

access-list 135 deny udp 0.0.0.0 255.255.255.255 192.5.49.0 0.0.0.255 eq 2049
================
From: "(Alain Brossard EPFL-SIC/SII)" <brossard@sasun1.epfl.ch>

In /etc/rc.local, motd is still chmod 666,
in /etc/rc, a umask 022 at the beginning is useful

whois is still pointing to sri-nic.arpa
while it should be:

    perl -pi.FCS -e 's/sri-nic.arpa/nic.ddn.mil\\0/i' whois
================

Many thanks to all who replied, particularly John Blasik
<john@mlb.semi.harris.com> and Alain Brossard <brossard@sasun1.epfl.ch>.

Respondents:
ivan@durras.anu.edu.au (Ivan Dean), Fuat Baran <fuat@ans.net>,
casper@fwi.uva.nl (Casper H.S. Dik), Steve Lodin
<deaes!swlodin@iuvax.cs.indiana.edu>, s5udtg@fnma.com (Doug Griffiths),
cordis1_490!gls ( Gary Schaps x2157), dpw@kate.as.utexas.edu (David
Way), Ari.Ronkainen@vtt.fi (Ari Ronkainen - VTT), ohnielse@ltf.dth.dk
(Ole Holm Nielsen), "(Alain Brossard EPFL-SIC/SII)"
<brossard@sasun1.epfl.ch>, syd@dsinc.dsi.com (Syd Weinstein),
steve@uunet.uu.net (Steve D. Miller), Mike Raffety <miker@sbcoc.com>,
john@mlb.semi.harris.com (John M. Blasik), jallen@nersc.gov (John
Allen), gds@la.TIS.COM (Greg Skinner), oliver@ast.saic.com (Thomas W
Oliver), jumper@spf.trw.com (Greg Jumper), dupuy@hudson.cs.columbia.edu
(Alexander Dupuy).



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:36 CDT