{IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
U-1,285/DS-SIM {DCPO}
SUBJ:  CONFIGURATION PROBLEMS IN THE NEXT OPERATING SYSTEM
{AUTOMATED SYSTEMS SECURITY INCIDENT SUPPORT TEAM {ASSIST} 92-46}
1.  DICSUSSION:  ASSIST HAS BEEN INFORMED OF THREE SEPARATE
CONFIGURATION PROBLEMS IN THE NEXT OPERATING SYSTEM THAT CAN AFFECT
THE SECURITY OF THESE SYSTEMS:
2.  PROBLEM 1 -  REXD{8C}, THE REMOTE PROGRAM EXECUTION DAEMON, IS
ENABLED BY DEFAULT.  THE NEXT REMOTE PROGRAM EXECUTION DAEMON,
REXD{8C}, ALLOWS REMOTE USERS TO EXECUTE PROCESSES ON A NEXT
COMPUTER.  IT IS ENABLED BY DEFAULT.  THE REXD SERVER PROVIDES ONLY
MINIMAL AUTHENTICATION AND IS OFTEN NOT ENABLED BY SITES CONCERNED
ABOUT SECURITY.  NO SOFTWARE PROVIDED BY NEXT IS KNOWN TO USE REXD. 
THEREFORE, UNLESS YOU CURRENTLY USE THE M REXD FACILITY, ASSIST
RECOMMENDS THAT YOU COMMENT OUT THE LINE IN THE 
INTERNET SERVICES DAEMON'S CONFIGURATION FILE {NOTE 1}.  TO DO THIS,
LOGIN TO YOUR NEXT COMPUTER AS THE ROOT USER.  YOU SHOULD BE
PROMPTED BY A SYSTEM PROMPT THAT ENDS IN THE CHARACTER "{POUND
SIGN}."  EDIT THE FILE
/ETC/INETD.CONF AND LOCATE THE LINE:
REXD/1 STREAM  RPC/TCP WAIT ROOT /USR/ETC/RPC.REXD RPC.REXD
THEN, INSERT A POUND SIGN CHARACTER BEFORE REXD/1 TO COMMENT OUT
THE LINE. SAVE THIS FILE AND RETURN TO THE ROOT SYSTEM PROMPT.  THEN
EITHER REBOOT YOUR SYSTEM {NOTE 2} OR INSTRUCT INETD TO USE THE
UPDATED /ETC/INETD.CONF BY ENTERING THE FOLLOWING COMMAND:
KILL -HUP {LESS THAN}INETD{UNDERSCORE SIGN}PID{GREATER THAN}
WHERE {LESS THAN}INETD{UNDERSCORE-SIGN}PID{GREATER THAN} IS THE
PROCESS IDENTIFIER FOR INETD THAT CAN BE FOUND BY ENTERING THE
COMMAND:
PS -AUX {PIPE SIGN} GREP INETD {PIPE SIGN} GREP -V GREP
THE NUMBER DISPLAYED IN THE SECOND COLUMN IS YOUR {LESS
THAN}INETD{UNDERSCORE SIGN}PID{GREATER THAN}.
3.  PROBLEM 2 - THE NEXT SUPPLIED USERNAME "ME" IS A MEMBER OF THE
"WHEEL" GROUP.  A USER WHO LOGS INTO A NEXT COMPUTER USING THE
USERNAME "ME" CAN USE THE SU{8} COMMAND TO BECOME THE ROOT USER. 
ALTHOUGH THE USER MUST STILL ENTER THE ROOT PASSWORD, ASSIST
BELIEVES THAT YOU SHOULD BE AWARE OF THIS DEFAULT CONFIGURATION 
BECAUSE "ME" IS THE ONLY USER ACCOUNT {BESIDES "ROOT"} SUPPLIED WITH
A NEXT COMPUTER.  {THE "ME" AND"ROOT" ACCOUNTS ARE ALSO SUPPLIED
WITHOUT PASSWORDS.  PLEASE ENSURE THAT YOU PROPERLY PASSWORD THESE
ACCOUNTS AFTER YOUR INITIAL BOOTUP.}  TO REMOVE THIS POTENTIAL
PROBLEM, EDIT THE /ETC/GROUP FILE AS THE ROOT USER TO REMOVE "ME"
FROM THE "WHEEL" GROUP.  CHANGE THE LINE:
WHEEL:{STAR-SIGN}:0:ROOT,ME TO WHEEL:{STAR-SIGN}:0:ROOT AND SAVE
YOUR CHANGES.  YOU WILL NEED TO REBOOT YOUR NEXT COMPUTER BECAUSE
THIS FILE IS ONLY READ DURING SYSTEM BOOTSTRAP.
4.  PROBLEM 3 - THE "WHEEL" GROUP HAS WRITE PERMISSION ON
/PRIVATE/ETC DEFAULT PERMISSIONS ON THE /PRIVATE/ETC DIRECTORY
ALLOWING ALL MEMBERS OF THE GROUP "WHEEL" TO REMOVE AND ADD FILES
TO THAT DIRECTORY.  NOTE: THIS DOES NOT CONSTITUTE A SERIOUS
PROBLEM.  TO REMOVE GROUP WRITE PERMISSION FROM /PRIVATE/ETC, ENTER
THE FOLLOWING COMMAND AS ROOT:
CHMOD G-W /PRIVATE/ETC .
5.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55.  ASSIST
CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE,
PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK 
NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE
THE ASSIST DUTY OFFICER PAGED.  ASSIST CAN BE REACHED VIA E-MAIL AT
"DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."






















                                      UNCLASSIFIED