Resources >> Irix
Team Members • What to do if you detect problems • FAQ • Policies • Reference
Known Security Issues in Irix
All versions:
Blank Password AccountsThe default password file that is installed by Irix contains several blank password fields. There is no valid reason that any of the default Irix accounts require a blank password field. The file is:
/etc/passwd
For example, on install the EZsetup account will look as follows:
EZsetup::992:998:System Setup:/var/sysadmdesktop/EZsetup:/bin/csh
The first field is the user name, and the second field (:: which denotes that it is blank) is the password field. For any accounts that have blank passwords, you should put a * in the password field as shown below:
EZsetup:*:992:998:System Setup:/var/sysadmdesktop/EZsetup:/bin/csh
Irix is not particular about how the /etc/passwd file is edited, simply use your favorite editor and modify the file, then save it.
NOTE: If you are running shadow passwords you *must* run pwconv to update the /etc/shadow file after hand editing /etc/passwd.
Services run out of inetd.conf
Many services under Irix are run out of inetd. The configuration file for inetd is stored in /etc/inetd.conf This file contains many services that are not required for a happy functioning (and secure!) Irix system. As a general idea trimming down inetd.conf to only include services that you need (man pages for the services can help you determine this) and replacing services like telnet and ftp with encrypted connection means (like kerberos or ssh) is a good idea.
To turn off services in inetd.conf, use your favorite editor to open the file, and then place a # character in front of any service you'd like to turn off, for example to turn of ttdbserverd (a service with known vulnerability problems), you would make the line in inetd.conf that reads:
ttdbserverd/1 stream rpc/tcp wait root ?/usr/etc/rpc.ttdbserverd rpc.ttdbserverd
look like this: (adding a # character to the front)
#ttdbserverd/1 stream rpc/tcp wait root ?/usr/etc/rpc.ttdbserverd rpc.ttdbserverd
When you are done trimming down inetd.conf, you can either reboot your machine or send a hangup signal to inetd.
To send a hangup signal to inetd, type
ps -ef | grep inetd
It will return something like this:
root 227 1 0 Jan 02 ? 0:00 /usr/etc/inetd
To restart the process, type kill -HUP processnumber, or in this case:
kill -HUP 227
Inetd should now restart and the services that you commented out should be turned off.
Services run out of the rc (or startup) scripts
Irix also runs many services out of its startup scripts. To see which services you are running type:
chkconfig
You will see as output many lines such as the following:
Flag State ==== ===== autoconfig_ipaddress off autofsd off automount off desktop on directoryserver off(and many others....)
As in inetd.conf, many of these services are not required for a happy, functioning, and secure Irix system. Again, the man pages are an excellent resource for determining whether or not you need a specific service. For example, autofsd is a service with known security issues. If you find that you are running autofsd when you type chkconfig it can be turned off as follows:
chkconfig -f autofsd off
Now when you type chkconfig, the "state" of autofsd should be listed as off.
The general format of the command (from the man page, man chkconfig) is
chkconfig -f flag state
where flag is the service, and state is either on or off.
When you are done turning off unnecessary services, you should reboot the machine for the changes to take effect.
Objectserver
MIT has recently seen a number of attacks which exploit a previously unknown problem with the Irix objectserver. This exploit is known to work on Irix 5.2, 5.3, 6.0.1, 6.1 and 6.2, but any systems that are running the objectserver should be considered potentially vulnerable. The vulnerability allows a remote attacker to create an account on the local system. One indication of a compromised machine is the presence of a "rox" user account.
There is currently no patch available from SGI that address this problem. To remove the vulnerability, you must turn off the objectserver. This can be done by running the following as root:
/etc/init.d/cadmin stop
Then use chkconfig to turn off the objectserver as follows
/etc/chkconfig objectserver off
Now if you're running the directory server and such, you'd want to turn cadmin back on by typing:
/etc/init.d/cadmin start
The objectserver is required for use of some of the graphical system maintenance tasks, such as adding a user. The workaround is to start the objectserver by hand before using any of these graphical tools. As root type:
/usr/Cadmin/bin/objectserver
and give it a few minutes to start up. Once you are done, either kill the processes, or use cadmin to shut it down cleanly:
/etc/init.d/cadmin stop
/etc/init.d/cadmin start
The Web Server
While the tools to turn off the web server are the same as discussed above, it has so many known holes in it, that it gets its own special section.
Irix default installs a web server, or at least default installs the service in /etc/inetd.conf. The lines of inetd.conf are as follows:
http stream tcp nowait nobody ?/var/www/server/httpd httpd
wn-http stream tcp nowait nobody ?/var/www/server/wn-httpd -f /var/www/conf/httpd.confIf you do not plan on running a web server on the machine, you should comment out the http and wn-http lines in /etc/inetd.conf by putting a # in front of them, as shown below:
#http stream tcp nowait nobody ?/var/www/server/httpd httpd
#wn-http stream tcp nowait nobody ?/var/www/server/wn-httpd -f /var/www/conf/httpd.confIf you do want to run the web server, you should go to the SGI web site and download the patches. There are many different root level exploits that exist in the default configuration of the CGI scripts and webdist.
Web Server Issues Specific to Irix 6.3 and higher:
The Web Server
Unfortunately, under Irix 6.3 and higher, simply turning off the web server in /etc/inetd.conf is not good enough.
SGI decided to cleverly place some control files for the web server in the directory /var/config
Before file editing, first turn off the web server if it is actually running, by typing:
/etc/init.d/ns_admin stop
/etc/init.d/ns_fasttrack stopIrix 6.5.x includes an additional control file: nss_fasttrack. Turn this off by typing:
/etc/init.d/nss_fasttrack stopThese control files are: ns_admin and ns_fasttrack and nss_fasttrack (under 6.5.x)
The contents of these files are the single word: off or on, depending on whether or not you want the service to run.
Irix default installs at least one of these files containing the word "on". This means that the web server will automatically start every time the machine is rebooted.
Edit the files so that they contain only the word off.
Then reboot the machine for the changes to take effect.
You may wish to check the web server log files to make sure that no unauthorized accesses happened while the server was running. Log files specific to the web server can be found in /usr/ns-hom/httpd-????/logs where the ???? may correspond to the process ID, or the name of the machine that the server is running on.
Irix Log Files
General Irix logs are found in:
/var/adm/SYSLOGOlder general logs are in:
/var/adm/oSYSLOGLogs for use of the su command are in:
/var/adm/sulogUser lastlog information can be obtained by running:
/usr/bsd/lastOld lastlog infomation is stored in OLDwtmp and can be read by running:
/usr/bsd/last -f OLDwtmp
Patches for Irix are available from SGI at:
SGI seems to be maintaining a mailing list for security advisors, information on signing up is at:
