1
2   This file contains a list of most of the security warnings that you
3might see while using the COPS system.  Not included here are messages
4that you may receive from the Kuang system and the ftp checker.  For
5help on using those tools, read the appropriate documentation on each
6of those ("kuang.doc" and "ftp.1".)
7
8   First, I'll define some arbitrary terms which I'll use when describing
9any problems you may encounter, then I'll list the messages, what they may
10mean, and how you can change your system to eliminate any danger posed.
11Some almost identical warnings were eliminated from the list; however
12most warnings should have an analogous entry that is very close syntactically
13to it in this file.  All messages in COPS are prepended by "Warning!";
14this has been excluded here for brevity.
15
16   There may be more than one way to overcome any problem listed here.  If
17you are unsure about whether to change a problem, try looking at some of
18the references listed at the end of the technical report (cops.report) for
19more information on how an attacker may compromise your system.  Some of
20the more dangerous security holes include writable directories and key files
21(such as /etc/passwd), root owned SUID files writable to world or that give
22a root shell, null passwords, and writable files that are executed by root.
23They are more or less aranged in like groups (all the writable files/dirs/
24whatever in one part, etc.)
25
26   Don't take everything that COPS says as gospel!  What may be a serious
27security hole on one machine may not be on your own, and vice-versa.
28However, the more you value the information on your machine, the more you
29should be concerned about security.
30
31  Some terms I'll use:
32xyz           -- An arbitrary number.  Usually a line number in a file.
33foo_file      -- stands for a file you might see in your warning message.
34foo_file2     -- Same as "foo_file", stands for a different file than the
35                 first (used when two filenames are needed in one message.)
36foo_dir       -- a typical directory.
37Group file    -- /etc/group or the yellow pages group.  If the warning starts
38                 with "Group", it is the former, "YGroup" is the latter.
39foo_group     -- either /etc/group or ygroup.
40Password file -- /etc/passwd or the yellow pages password.  If the warning
41                 starts with "Password", it is the former, "YPassword" refers
42                 to the latter.
43foo_pass      -- either /etc/passwd or ypasswd.
44cron_file     -- will be either /usr/cron or
45                 /usr/spool/cron/crontabs/foo_file.
46foo           -- anything that doesn't fit above.  Usually an arbitrary
47                 name, or group name, or whatever.
48bar           -- As "foo", if more than one name is needed in one message.
49foo_bar       -- As "foo", if more than two names are needed in one message.
50
51
52  WARNING MESSAGES
53  -----------------
54
550)
56foo_file is _World_ writable!
57foo_file is group readable!
58
59   This simply means that a file is world writable; e.g. Anyone can modify
60or delete this file.  This can be especially bad if the file can (even
61indirectly) give root access, such as the system password file, "/etc/passwd".
62   To fix, type:
63        chmod a-w foo_file
64This removes write access for group "all/world".
65
661)
67foo_file (in cron_file) is World writable!"
68File foo_file (inside root executed file foo_file2) is _World_ writable!"
69File foo_file (in /etc/rc*) is _World_ writable!"
70
71   Similar to the above messages, but potentially more serious.  Files
72in this group are being used by root, and either being utilized as input,
73output, or for execution.  Examine the file they are inside and see how
74it is being used.  Files being executed are the most dangerous because
75if they are changed, the new file gets executed with root privileges.  Input
76files are next, because changing them can alter what the executing program
77does and cause undesirable side affects.  Even output files can be dangerous,
78however, because they may be used as an output or even as a program file
79later on.
80   To fix, either delete the reference to foo_file inside the
81cron/rc*/foo_file2/whatever file, or type:
82        chmod a-w foo_file
83to remove write access for group "all/world".
84
852)
86Directory foo_dir is _World_ writable!
87
88   This simply means that a directory (or it's parent directories) is world
89writable; e.g. Anyone can delete this directory, as well as mess with the
90files and subdirectories inside of it.  For instance, if /usr/spool is world
91writable, even if cron is not writable, this is a problem, because the cron
92directory can be replaced and new crontab files put in (which all run with
93root privileges.)  As a general rule, if you wish to have a file or
94directory secure, all directories that are parent directories must be secure.
95   To fix, type:
96        chmod a-w foo_dir
97            and/or
98        chmod a-w [foo_dir's parent directory]
99This removes write access for group "all/world".
100
1013)
102Directory foo_dir is _World_ writable and in roots path!
103
104   This is the same as (2), but the directory was found to be in the
105path variable set either in /.login or /.profile.  This is a bad thing
106because if it is writable, a trojan horse can be placed there, and
107root will execute the command.  See also (23).
108
1094)
110Duplicate Group(s) found in foo_group:
111
112   This means that one or more duplicate group names have been found.
113This is mostly a system accounting problem; when adding or deleting names
114from a group you will have problems.
115   To fix, remove all but one instance of each group in your /etc/group file.
116
1175)
118Group foo_bar has duplicate user(s):
119
120   Similar to (4), a group has the same user listed more than once.  If
121all instances of the user is not deleted, they probably will remain with
122their old privileges.
123   To fix, remove all but one instance of a user in each group of your
124/etc/group file.
125
1266)
127Group file, line xyz, non-numeric group id: foo
128
129   Group id's must be numeric.  Testing a non-numeric id will give
130unpredictable results.
131   To fix, change the old id to a valid group id.
132
1337)
134Group file, line xyz, is blank
135
136   To fix, remove all blank lines.
137
1388)
139Group file, line xyz, does not have 4 fields: foo
140
141   More trouble.  Testing of one or more of the groups will result
142in invalid results, depending which is the missing field(s).
143   To fix, ensure group has four valid fields.
144
1459)
146Group file, line xyz, nonalphanumeric user id: foo
147
148   As (6).
149   To fix, change the old id to a valid group id.
150
15110)
152Group file, line xyz, group has password: foo
153
154   To fix, change the old password to an asterisk ("*").
155
15611)
157Password Problem: Guessed:    foo    shell: bar    passwd: foo_bar
158
159   If an account has a guessed password, it is susceptible to other password
160guessing programs (the one in COPS is rather crude and slow).  Obviously, if
161the password is known, the account is compromised.
162   To fix, either have the user change her/his password or change it yourself.
163
16412)
165Password Problem: null passwd:    foo    shell: bar
166Password file, line xyz, no password:     foo
167
168   If an account has no password, anyone can log into the account at will.
169   To fix, either have the user change her/his password or change it yourself.
170
17113)
172Duplicate uid(s) found in foo_passwd:
173
174   This is a problem, especially if the accounts have different permissions
175or privileges.  When the user's account is deleted, one or more accounts may
176remain active.
177   To fix, simply delete all but one occurrence of the users account.
178
17914)
180Password file, line xyz, user foo has uid = 0 and is not root    bar
181
182   Ideally, no one but root should have uid = 0.  Anyone with uid=0 is
183superuser, for all purposes.  Occasionally, a maintenance account has
184uid=0, or perhaps a small group of administrators.  Be very careful!
185   To fix, change the uid from 0 to some other valid number.  If the
186account or person really needs root privileges, have them su to the root
187account so you can keep track of who is using root.
188
18915)
190Password file, line xyz, nonalphanumeric login:     foo
191
192   Another maintenance problem.  Someone's been messing with the password
193file, or you have some bugs in your software that fools around with it.
194   To fix, delete or change the login to a valid login.
195
19616)
197Password file, line xyz, invalid login directory:     foo
198User foo's home directory bar is not a directory!
199
200   A user has a non-existent or invalid login directory listed in the password
201file.  Sometimes these are maintenance accounts, but it is discouraged.
202Examine the account to see if it should really exist.
203   To fix, either delete the account or put in a valid login directory.
204
20517)
206Password file, line xyz, nonnumeric group id:     foo
207Password file, line xyz, nonnumeric user id:     foo
208
209   A user has a invalid user or group id.  Dangerous if, when checked, it
210translates to invalid number (who knows what would happen), or worse yet, 0.
211   To fix, change the field to a legal, numeric value.
212
21318)
214Password file, line xyz, negative user id: foo
215
216   A user id is negative.  This is most common with user name "nobody",
217and with an id of "-2".  This can be dangerous, especially if you are running
218a Sun, with 4.xx SunOS.  It is uncertain if it is dangerous for other
219versions or machines.  Changing it to 32767 is the usual course of action.
220
22119)
222Password file, line xyz, does not have 7 fields:     foo
223
224   Dangerous, because when a program checks for a field value it will come
225up with who knows what.
226   To fix, ensure all fields have legal values.
227
22820)
229Password file, line xyz, is blank
230
231   To fix, delete all blank lines.  This can be very bad, because a blank
232line can give a uid=0 account with no password.
233
23421)
235NFS file system foo exported with no restrictions.
236
237   Anyone can mount the file system.  May or may not be a problem, but
238look over closely, if you value ANY of the info on it!
239   To fix, put in a valid list of hosts that may mount it.
240
24122)
242Root's umask set to xyz
243
244   If root's umask is set incorrectly, any files that it creates will be
245have bad permissions (e.g. world writable if 000, x00, or xy0).
246   To fix, put a "safe" value; 077 or whatever.
247
24823)
249"." (or current directory) is in roots path!
250
251   Trojan horses traditionally play upon having the current directory in
252a users path.  A bad user will put a trojan horse with a the same name as
253a common system command ("ls" is a favorite) and place it in a location that
254s/he thinks might be executed.  When the trojan horse is executed, it will
255not only execute the command, but will also either steal your account
256privileges or have your account perform some action that they desire.
257
25824)
259A "+" entry in foo_file!
260
261   Host.equiv files specify which machines are equivalent; e.g., user foo on
262another machine listed in your hosts.equiv can log in as user foo onto your
263machine.  A "+" means your machine trusts everyone (I trust no one :-)), which
264is usually not desired, at least in these troubled times.  Sun, in it's
265infinite stupidity, makes this the default on all of it's machines.
266
267   To fix, either remove the "+", put in your own list of trusted machines,
268or delete the file.
269
27025)
271rexd is enabled in foo_file!
272
273   This can allow commands to be excecuted remotely.  (foo_file is usually
274/etc/inetd.conf, of course.)
275
276   To fix, comment it out of foo_file (put a "#" sign in front of the line.)
277
27825)
279User foo's home directory foo_dir is mode xyz!
280
281   If a user's home directory is writable, you have the same problems as (3),
282except all of the user's files are in jeopardy this time.
283
284   To fix, type:
285        chmod a-w foo_dir
286
28726)
288User foo: .bar is mode xyz!
289
290   In this case, ".bar" stands for one of the user's initialization files,
291such as .login, .profile, .exrc, ect.  If the user's file is world writable,
292then anyone can modify that file, and whenever the user logs in or executes
293a command (such as "vi", when referring to ".exrc"), they will execute
294whatever commands the bad girl/boy wants them to.
295
296   To fix, type:
297        chmod a-w foo_file
298
29927)
300tftp is enabled on foo_host!
301
302   This means that people can steal your password file remotely, and run
303a password cracking program on it.  Bad news, unless you _really_ have great
304password security, or you're running shadowpasswords.  But even then, they
305can still steal any world readable file on your system.
306
307   To fix, comment out (put a pound sign ("#") in the front of the line)
308tftp -- usually a line in your /etc/inetd.conf file.
309
31028)
311uudecode is enabled in foofile!
312
313   If the decode mail alias is a valid mail address, people can mail to it,
314and create files on your system.  If the uudecode is SUID root, or something
315equally insane, it can overwrite any file.
316
317   To fix, comment out the alias in your (usually /usr/lib/alias) mail alias
318file.
319
32029)
321uudecode creates setuid files!
322
323   A common problem, it seems.  Uudecode should not create any kind of
324special files; if combined with (30), you can create hidden SUID files,
325perfect for an attacker.  If combined with (28), then it can be an even
326worse remote attack.
327
32830)
329uudecode is suid!
330
331   Worse and worse.  If this is true, then you can create files that are
332owned by whomever it is SUID to.
333
334   To fix, just make it non-suid.  If it has to be suid for some unknown
335reason, make it SUID to user nobody, or guest, or something relatively
336inoccuous, even though it won't be.
337
33831)
339ROOT owned SUID file foo_file is type: foo_type!
340
341   No root owned SUID file should be anything other than an executable
342binary; however, since this test depends on the "file" command, it may get
343confused, especially when using NFS, since, for example, a Sun won't recognize
344a MIPS executable binary as such.  In any case, examine all SUID root files
345*very* carefully.  And under *no* circumstance should it be a shell script.
346No, no, no.
347
34832)
349User: foo SUID file is type: foo_type!
350
351   As (31), but possibly less severe.
352
35333)
354foo should be in /etc/ftpusers!
355/etc/ftpusers should exist!
356
357  Problems 33-42 deal with ftp and anonymous ftp setup.  All system
358accounts (root, bin, etc.) should be in /etc/ftpusers, to prevent them
359from using ftp.
360
36134)
362Need user foo for anonymous ftp to work!
363
364  ("foo" usually means "ftp", BTW.)  For anonymous ftp to work, it
365needs this login to exist in the password file.
366  To fix, remove all but one instance of a user in each group of your
367
36835)
369Home directory for ftp doesn't exist!
370ftp's home directory should not be "/"!
371
372  The home directory for ftp, found in the password file, should exist
373and should *not* be "/".  Make it some innocuous place on the file
374system where you can keep an eye on things and dump/store stuff without
375causing any damage.
376
37736)
378~ftp/etc/passwd and /etc/passwd are the same!
379~ftp/etc/group and /etc/group are the same!
380
381  Login names, passwords, and such should be kept hidden from the
382average anonymous ftp browser.  Do *not* put your password/group
383files in the ~ftp/etc directory; if you must have the actual user
384names in the file, then at least star out (put an asterix ("*") in
385place of the encrypted password) the password entry.
386
38737)
388File foo_file is missing (anon-ftp setup)!
389
390  Some critical file is missing, such as the password or group file.
391On some versions of ftpd, this is not a problem, and on others, it
392will simply not work.
393
39438)
395foo_file should be owned by foo_user or bar_user!
396
397  If key files and/or directories are owned by the wrong user, then
398trouble can happen.  For instance, if ftp's home directory is owned
399and/or writable by ftp, then anonymous ftp users can insert .rhosts
400and .forward files to cause mischief.
401  To fix, chown the files to root.
402
40339)
404~ftp should be mode 555!
405
406  Unless ftp's home directory is owned by root, no one should be
407able to write on this directory (if root owns this, it can be
408mode 755.)
409
41040)
411~ftp/.rhosts should be be empty!
412
413  There is usually no good reason to let user "ftp" trust other sites.
414If any .rhosts file exists, it should be empty.
415
41641)
417Incorrect permissions on foo_file in foo_dir!
418
419  Certain files (the password file, etc.) should be set to be readable
420to all, but writable by root.  Other files must be executable, etc.
421This flags any abberations in the setup.
422
42342)
424Anon-ftp directory foo_dir is World Writable!
425
426  If a directory is kept open for an "incoming" upload/downloads,
427it is a good idea to keep the directory unreadable by all, and that it
428should not hold other "trusted" software in that same directory, else
429a normally "safe" program could be overwritten with a trap door,
430virus, whatever.
431
432