_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin May 15, 1991, 1500 PDT Number B-25 Configuration Problems in the NeXT Operating System _______________________________________________________________________ PROBLEM: Three separate configuration problems exist in the NeXT operating system. PLATFORM: NeXT computers using all NeXT Software Releases through and including Release 2.1. DAMAGE: May allow unauthorized or unintended access to system resources. SOLUTIONS: Implement enclosed configuration modifications described below if warranted by the needs of your operational environment. ______________________________________________________________________ CIAC has been informed of three separate configuration problems in the NeXT operating system that can affect the security of these systems: 1. rexd(8C), the remote program execution daemon, is enabled by default. The NeXT remote program execution daemon, rexd(8C), allows remote users to execute processes on a NeXT computer. It is enabled by default. The rexd server provides only minimal authentication and is often not enabled by sites concerned about security. No software provided by NeXT is known to use rexd. Therefore, unless you currently use the rexd facility, CIAC recommends that you comment out the line in the Internet services daemon's configuration file (note 1). To do this, login to your NeXT computer as the root user. You should be prompted by a system prompt that ends in the character "#". Edit the file /etc/inetd.conf and locate the line: rexd/1 stream rpc/tcp wait root /usr/etc/rpc.rexd rpc.rexd Then, insert a "#" character before rexd/1 to change the line to the following: #rexd/1 stream rpc/tcp wait root /usr/etc/rpc.rexd rpc.rexd Save this file and return to the root system prompt. Then either reboot your system (note 2) or instruct inetd to use the updated /etc/inetd.conf by entering the following command: kill -HUP where is the process identifier for inetd that can be found by entering the command: ps -aux | grep inetd | grep -v grep The number displayed in the second column is your . 2. The NeXT supplied username "me" is a member of the "wheel" group. A user who logs into a NeXT computer using the username "me" can use the su(8) command to become the root user. Although the user must still enter the root password, CIAC believes that you should be aware of this default configuration because "me" is the only user account (besides "root") supplied with a NeXT computer. (The "me" and "root" accounts are also supplied without passwords. Please ensure that you properly password these accounts after your initial bootup.) To remove this potential problem, edit the /etc/group file as the root user to remove "me" from the "wheel" group. Change the line: wheel:*:0:root,me to wheel:*:0:root and save your changes. You will need to reboot your NeXT computer because this file is only read during system bootstrap. 3. The "wheel" group has write permission on /private/etc Default permissions on the /private/etc directory allow all members of the group "wheel" to remove and add files to that directory, although this does not constitute a serious problem. To remove group write permission from /private/etc, enter the following command as root: chmod g-w /private/etc _____ 1 This modification is unnecessary in releases earlier than 2.0 because the program invoked by inetd via this configuration file (/usr/etc/rpc.rexd or /usr/etc/rexd) is not preloaded on versions earlier than 2.0 (exception--Version 0.9--please call us for more information about this version). You may, however, nevertheless want to make this modification to assure yourself or other system managers that rexd is disabled. 2 Changes specified in the next section of this bulletin also require a reboot. Therefore, if you intend to implement these additional modifications as well, you need to reboot only once after all changes are applied. For additional information or assistance, please contact CIAC: Kenneth L. Pon (415) 422-1783 or (FTS) 532-1783 pon@cheetah.llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. The Computer Emergency Response Team/Coordination Center (CERT/CC) and Alan Marcum provided some of the information contained in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.