COMMAND
powermanagement
SYSTEMS AFFECTED
Solaris 2.6 (others?)
PROBLEM
Ralf Lehmann recently found a security risk caused by
powermanagement on Solaris 2.6. This may be the case with
previous versions too. If you are using a desktop like CDE or
OpenLook you can press the on/off button on the keyboard to
suspend the system. Suspending means that the whole kernel and
all process memory is saved to disk. If you turn on the machine,
the boot procedure realizes that the system has been suspended
and restores the kernel and the processes. Operation of the system
continues exately where it has been stopped, with one exeption.
Lockscreen is called to prevent unauthorized access to the just
started maschine.
Here is the bug. When you reboot a suspended system you will see
the line like
Restoring system...
on your screen. After a few seconds the line disapears and the
screen is dark. Now start typing characters on the keyboard. On
a slow SPARC 5 you will have 20 to 30 seconds to enter characters.
All that input is delivered to the last active tool on the desktop
even before lockscreen can catch the input fokus. It is a lot of
fun if the superuser suspended the system and the last active tool
was a shell.
Try this: Shortly after the line "Restoring ..." disapears type:
passwd -d root
or
echo + + >> /.rhosts
or any other command you like to be executed as root. You don't
have to worry about the time. On a SPARC 5 you will have a lot
of time (20 seconds). After about 20 seconds of darkness you can
see the desktop for a short moment before lockscreen is activated.
But the damage is done already.
SOLUTION
The only workaround is not to use Powermanagement with a desktop.
But who is using powermanagement anyway?