-----BEGIN PGP SIGNED MESSAGE-----

________________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

        Title: Visual Serial Port Manager for IRIX 4.x 
                Number:         19941001-01-P
                Date:           October 5, 1994
________________________________________________________________________________

Silicon Graphics provides this information freely to the SGI community
for its consideration, interpretation and implementation.   Silicon Graphics
recommends that this information be acted upon as soon as possible. 

Silicon Graphics will not be liable for any consequential damages arising
from the use of, or failure to use or use properly, any of the instructions
or information in this Security Advisory.
________________________________________________________________________________


A vulnerability has been discovered in the visual administration tools of 
the IRIX 4.x operating system, specifically /usr/lib/vadmin/serial_ports, 
and on some systems running the IRIX 5.x operating system that have 
not replaced or removed all the 4.x administration tools.  The visual
administration tools in IRIX 5.x, specifically /usr/Cadmin/bin/cports, etc.,
do not have this vulnerability.

SGI Engineering has investigated this issue and recommends the following 
steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED that these 
measures be done on ALL SGI systems running IRIX 4.x and 5.x.  The issue 
will be permanently corrected in a future release of IRIX.


- --- Immediate Solution ---

******************
*IRIX  4.x  Steps*
******************

        The following steps will limit the use of the serial_ports program 
to the root user only.   It is very important to understand that the root 
user should have common security practices in place including ensuring that 
the PATH used by root does not include world writable directories and most 
definitely not "." (the current directory).   [The path can be checked at
anytime by doing "echo $path" if csh, "echo $PATCH" for ksh and sh.]


        0) Check you are doing the right steps for the right
        operating system level.

                % uname -a
                IRIX systemname 4.0.x ########
                                ^^^^^
                                |||||
        If you got a 5.x number here, then see the instructions below
        in the IRIX 5.x Steps section.


        1) Become the root user on your system.

                % /bin/su
                Password:
                #

                
        2) Change the permissions on the /usr/lib/vadmin/serial_ports 
        program to limit use only to a person logged in as the root
        user.  It if further suggested that the permissions be 
        set root only restrictive on all the 4.x visual administration 
        tools. 

                # cd /usr/lib/vadmin
                # /bin/chmod 500 serial_ports

                # /bin/chmod 500 backup_restore disks networking 
                # /bin/chmod 500 printers users

        3) Return to the previous user.

                # exit
                %




******************
*IRIX  5.x  Steps*
******************

        Since this program is not used in version 5.x of IRIX, it is
recommended that the file /usr/lib/vadmin/serial_ports and any other
residual 4.x administration tools be removed if found on a 5.x system.


        0) Check you are doing the right steps for the right
        operating system level.

                % uname -a
                IRIX systemname 5.x ########
                                ^^^
                                |||
        If you got a 4.x number here, then see the instructions above
        in the IRIX 4.x Steps section.


        1) Become the root user on your system.

                % /bin/su
                Password:
                #


        2) In the directory /usr/lib/vadmin, remove the following
        4.x programs if they are found in this directory.


                        diskTable.h
                        disks
                        disks.hlp
                        networking
                        networking.hlp
                        printers
                        printers.hlp
                        serial_ports
                        serial_ports.hlp
                        users
                        users.hlp
                        vadmin.hlp


                   *** DO NOT REMOVE ***
                       THESE TWO FILES

                        backup_restore
                        backup_restore.hlp

        
                # rm diskTable.h disks disks.hlp
                # rm networking networking.hlp
                # rm printers printers.hlp
                # rm serial_ports serial_ports.hlp
                # rm users users.hlp
                # rm vadmin.hlp


        4) Remove the following files if also found on a 5.x system.

                # rm /usr/sbin/systemdown
                # rm /usr/sbin/vadmin
                # rm /usr/sbin/pandora


        3) Return to the previous user.

                # exit
                %





- --- Further Information/Contacts ---

For additional information or assistance, please contact your
SGI support provider.

For security specific issues, mail can be sent to security-alert@sgi.com .




-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBMLtwArQ4cFApAP75AQF5jQQAmpJRwWXIskcPJoJ5xTj7G74aiDf4chlJ
3VbURijCBFBv+qN59klgZdhrisqRdo4cPI3jqSFIa6RnLTtJPavzFi8JoXRYtWkn
aT/4yER4K9BmM+7ZP9Rvr7nDDxe1DnLLIGLvcAFK4aCJi+c7RkUxIXXkNCS8QFya
VFCwkS3myZU=
=56v6
-----END PGP SIGNATURE-----