Solaris 7 3/99 Online Release Notes (SUNWrdm)

Security Vulnerability In ufsdump And ufsrestore (4132365)

A security vulnerability exists in the ufsdump(1M) and ufsrestore(1M) commands. If you have already gained access to a given Solaris system, you can exploit this vulnerability to obtain root access. Fixes for these problems are available for this release by installing patch ID 106793-01, a patch for SPARC systems, or patch ID 106794-01, a patch for x86 based systems.

If you have not yet obtained and installed the appropriate patch, you can apply the following workaround on your system.

Workaround: If you use the chmod command on the ufsdump and ufsrestore programs such that the set-uid bit is removed, the programs are then no longer vulnerable. You can remove the set-uid bit by executing the following command as root:

# chmod 0555  /usr/lib/fs/ufs/ufsdump /usr/lib/fs/ufs/ufsrestore
Some of the ufsdump/ufsrestore functionality is now only available to root, specifically having access to backup devices on the network using the rmt(1M) protocol.