Cover V11, I13


SolarisTM 9 Operating Environment Security Tips

Mark Thacker

The launch of Solaris 9TM Operating Environment (OE) brings a new level of default security to Sun systems administrators. In this article, I will explore a few of these new features with the goal of helping you create a more secured system as soon as possible. Because the features covered here are part of the standard Solaris distribution, they are fully supported and will be enhanced over time. The reference material provided in this article has been borrowed heavily from the existing Solaris 9 OE System Administration documentation as well as public whitepapers and BluePrints to which you can refer for more in-depth information.

Network Security

The following technologies will help protect your system from network-based attacks. This list is certainly not exhaustive, but it is a beginning.

The SolarisTM Secure Shell Software

The Solaris 9 OE includes a full implementation of the Solaris Secure Shell remote access protocol that is integrated with kernel (Basic Security Module -- BSM) auditing, internationalization, pluggable authentication modules (PAM), and TCP Wrappers. Secure Shell provides encryption, privacy and public key authentication of hosts and userid as a replacement for the less secure commands, such as telnet, rsh, rcp, etc. Sun's product is based on OpenSSH, but all updates and patches will be released by Sun.

So, how do you use Secure Shell software in the Solaris 9 OE? Many of the basics are already done for you. For example, the /etc/rc2.d/S89sshd creates host key for you automatically, and 128-bit encryption is already built-in using the AES, 3DES, and Blowfish cryptography algorithms. Essentially, all you need to do is to generate your own personal keys and start using the /usr/bin/ssh command. Here are some commands:

1. Generate your own public/private key pair and hit <return> to save the key into a file:

myLocalHost% ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/home/johndoe/.ssh/id_rsa):
2. Enter a password that you want to use to lock this key:

Enter passphrase(empty for no passphrase): <pass phrase and return>
Enter same passphrase again: <pass phrase and return>
3. The keys are saved for future use:

Your identification has been saved in /home/johndoe/.ssh/id_rsa.
Your public key has been saved in /home/johndoe/.ssh/
The key fingerprint is:
4. You are now ready to open an encrypted shell session on a remote server. Use the ssh command to start the session and choose to accept the first-time question about accepting the remote server's public key.

myLocalHost% ssh myRemoteHost
The authenticity of host 'myRemoteHost' can't be established.
RSA key fingerprint in md5 is: 04:9f:bd:fc:3d:3e:d2:e7:49:fd:6e:18:4f:9c:26
Are you sure you want to continue connecting(yes/no)? yes <return>
5. Enter the password for your public/private key (as in step 2):

Enter passphrase for key '/home/johndoe/.ssh/id_rsa': <return>
johndoe@myRemoteHost's password: <return>
Last login: Fri Jul 20 14:24:10 2001 from myLocalHost
6. You are done! You have an encrypted, secured remote session on the remote server.

Look for Sun to provide patches and enhancements to Solaris Secure Shell software and please review the Solaris 9 OE documentation for information on system-wide defaults (/etc/ssh/ssh_config and /etc/ssh/sshd_config) in Secure Shell.

TCP Wrappers

The Solaris 9 OE also includes the TCP Wrappers program, which provides a way of restricting access to TCP-based services started by the inetd process based on hostname, wildcards, and reverse DNS resolution. This is an easy way to restrict in-bound connections to your server to be from particular domains. For example, limiting FTP access to only those machines in the "" domain is done by adding an entry to the /etc/hosts.allow file. TCP Wrappers does not limit out-bound connections from your server.

In the Solaris 9 OE, all services in /etc/inet.conf are already linked to and ready for use. To begin, enable it in the inetd configuration file and restart the inetd process:

1. Edit /etc/default/inetd and change ENABLE_TCPWRAPPERS to be YES and uncomment the line:

2. Kill and restart the inetd process:

% pkill inetd
% /etc/rc2.d/S79inetsvc start
Next, configure the access control files, /etc/hosts.deny and /etc/hosts.allow. For more information on the format of these files, refer to the hosts_access(4) man page located in the new /usr/sfw/share/man directory tree (i.e., set your MANPATH to include this directory). Here is an example of limiting access to the tftpd (Trivial FTP -- used by JumpStart clients) to just the local network, while denying access to all other TCP/UDP services started by inetd:

in.tftpd: LOCAL,
Initial TCP Header Sequence Randomization
Each TCP-based connection to a server can result in a return packet with a unique number, known as a sequence number, which helps both the client and the server track the state of the connection. If a cracker could predict what the next sequence number of a packet should be, he/she could use IP spoofing techniques and send rouge packets in place of the true client or server. Obviously, this could lead to data corruption and other problems. Solaris has long had the ability to randomize the initial sequence number, and in Solaris 9 OE, this has been improved with the addition of even more randomization. The Internet standard for this technique is known as RFC 1948, and to activate the new, improved version in the Solaris 9 OE is very simple -- simply uncomment and change the value of the TCP_STRONG_ISS to in the /etc/default/inetinit file:

Platform Security

The following tools can help increase the base level of security of your Solaris platform. Again, this is not an exhaustive list, and I recommend checking the references at the end of this article for additional information before configuring anything on your production systems.

Role-Based Access Control (RBAC)

Solaris OE RBAC is derived from the industrial-strength Trusted Solaris platform, proven in the government, finance, and high-security sector for many years. It is a way of providing non-privileged users with just the power they need to get their jobs done. There are three primary distinctions between Solaris OE RBAC and other technologies, such as sudo. These include the ability to run any command as any effective or real UID and/or GID, an exposed API for checking user authorizations, and the storage of role information in the naming service (files, NIS, NIS+ and LDAP), which allows roles to follow users in the network. Additionally, RBAC is fully integrated into Solaris auditing systems, so all commands executed while a user is in a specific role are logged against that user's real userid and role name in the BSM audit system. RBAC was first introduced in the Solaris 8 OE and is more fully explained in the "RBAC in Solaris OE" whitepaper in the Solaris Whitepaper references.

To understand RBAC, you need to understand a few terms first. A role in the Solaris OE is just like a normal userid, except that it cannot be logged into anonymously; users must log in as a known user first, then assume a role through the su command or through an application that uses the RBAC API. The definition of roles is site specific and typically consists of a role name, a list of usernames assigned to that role, optional authorizations, and one or more execution profiles. A profile consists of a set of execution attributes (command name, what UID/GID to run as, etc.) and an optional set of authorizations that are checked by certain programs. Authorizations are simply a "right" that user has that can be queried by an application. For example, a user may have the authorization to create new users on the system, and that authorization will be checked by the Solaris Management Console. Finally, all of the Solaris OE RBAC information can be stored on the local server and in the naming services of NIS, NIS+, or LDAP.

Here is a quick example of what one can do with RBAC. At the very least, you will want to ensure that the "root" account cannot be logged into anonymously, even if someone were to make a mistake and allow root in via the /etc/ftpd/ftpusers file (which controls which users cannot FTP into a machine). Simply set up the root account as a role and assign it to a real user's account. For root in particular, make sure to assign this role to a userid that is located in /etc/passwd on the machine, just in case your naming service is unavailable. In an emergency, the root role can be logged into directly only in single-user mode on the physical console device.

The following files have been modified to make "root" a role, allow the local user of "thacker" to assume the root role, and to allow the user "saunders" to be the printer administrator and run printer commands without assuming a specific role.

   saunders:x:1000:10:G Saunders:/export/home/saunders:/usr/bin/sh
   thacker:x:1001:10:Mark Thacker:/export/home/thacker:/usr/bin/sh

   saunders::::type=normal;profiles=Printer Management
   thacker::::type=normal;roles=root;profiles=Basic Solaris User

/etc/security/exec_attr   (Entries already present and abbreviated here for space)
   Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp
   Printer Management:suser:cmd:::/usr/ucb/lpq:euid=0
   Printer Management:suser:cmd:::/etc/init.d/lp:euid=0
   Printer Management:suser:cmd:::/usr/bin/lpstat:euid=0
   Printer Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0
   (and so forth...)
This is just scratching the surface of what the Solaris OE RBAC can do to help systema administrators. RBAC is more fully explained in the whitepaper referenced at the end of this article, in the rbac(5) man page, and in the System Administration Guide: Advanced System Administration documentation, on

Minimized Packaging

In the Solaris 9 OE, many of the networking services that were previously considered part of the "core" operating system are now in separate client and server packages and can be selectively removed from the system. This allows you to create a smaller, more customized, and less exposed install of the Solaris OE. Previously, functions such as the Telnet client and server could be disabled, but not cleanly removed from the Solaris OE. Maximum use of this facility comes when doing JumpStart installations or through the use of the SolarisTM Security Toolkit software. Management of these new packages is done through the normal Solaris pkgadd and pkgrm commands. When a network package such as the telnet server is modified on the system, entries in /etc/inetd.conf are also automatically updated as well.

Here is an example of removing the telnet server components while leaving the telnet client on the systems. Effectively, users may telnet out of a server, but no one can telnet in:

1. List the packages related to the telnet services:

% pkginfo | grep -i telnet
system     SUNWtnetc      Telnet Command (client)
system     SUNWtnetd      Telnet Server Daemon (Usr)
system     SUNWtnetr      Telnet Server Daemon (Root)
2. Second, remove the two server components:

% pkgrm SUNWtnetd SUNWtnetr
3. Try starting a telnet session to the host you are on to verify that the telnet client program is still available (no "bad command" errors), and that the telnet server is no longer running on your server:

% telnet localhost
telnet: Unable to connect to remote host: Connection refused
To restore the telnet server to the system, you will need to pkgadd the two server packages from the Solaris 9 OE media or from another distribution source (e.g., JumpStart server). Updated versions of the Solaris Security Toolkit software will take advantage of this new package granularity.

Stack Buffer Overflow Protection Per File

Buffer overflows are a far too common occurrence in the security vulnerability world, and there are ways to limit the scope of these threats. Starting with the Solaris 2.6 OE, Sun made available an option that would disable the ability of a program to execute code placed on that program's stack. This is known as a stack buffer overflow vulnerability. Execution of this code is one way crackers can gain access to processes running as root. In the Solaris 9 OE, this capability is extended to individual processes and can be compiled into the programs so that they are protected against stack buffer overflow vulnerabilities even if the system-wide switch is not turned on. Most of the core setuid-enabled applications in the Solaris 9 OE have been compiled with this feature turned on. You can also compile your own applications with this protection enabled.

To protect the entire system against stack buffer overflow conditions, edit the /etc/system file and add the following line:

set noexec_user_stack=1
The change will take effect at the next reboot.

Any program that attempts to execute code on the stack will be sent a signal and will exit, also causing the system to log the event via syslog. There is the possibility that some older, 32-bit applications may try to execute code on the stack, thus this feature is not enabled by default.

To compile your own applications to have stack buffer overflow protection enabled, simply add a linker map file during your compile or link process:

% cc -M /usr/lib/ld/map.noexstk myprogram.c

With the Solaris 9 OE, Sun has added features to help administrators create a more secured system, and I've tried to provide an overview of some of them. Certainly this article is not a comprehensive review of Solaris security, and some significant items were not discussed, such as: SunScreen 3.2, IPsec/IKE for IPv4, IPsec for IPv6, secured LDAP naming services, the SunTM Open Net Environment (Sun ONE) Directory Server 5.1 software, the SunTM Crypto Accelerator 1000 software, the Solaris Security Toolkit, Web server security, and many more. If you have yet to deploy Solaris 9 in your environment, I encourage you to try the Free Binary License for a 1 CPU system. It's a great way to test these new security tools. Also, please use the References section to get a more complete explanation of the Solaris 9 OE and Sun's security technologies.


Sun Security:

Trusted Solaris:

Security Whitepapers:

Security Services documentation:

Solaris Security Toolkit:

Enterprise Security: Solaris Operating Enviornment Security Journal, Solaris OE Versions 2.5.1, 2.6, 7, 8 by Alex Noordergraaf, et al.; ISBN# 0-13-100092-6

Mark Thacker is the Product Line Manager for Solaris Security and is responsible for ensuring that customer's needs for security are met in the Solaris Operating Environment. Mark has many previous years of multi-platform system administration and Internet services administration experience.

Sun, Sun Microsystems, the Sun Logo, Solaris, and Sun ONE Directory Server are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.