Problem Note 4201: Potential security exposure for sites that have installed the spawner
programs (objspawn or sastcpd)
** THIS USAGE NOTE ONLY PERTAINS TO SAS 8.0 and 8.1 **
The problem was addressed and corrected in release 8.2
Sites that have installed either of the SAS spawner programs "sastcpd"
or "objspawn" could be exposing themselves to a security breach.
The potential for a security breach exists only if either the sastcpd or
the objspawn executable (which would be installed in the
!SASROOT/utilities/bin directory) has the following file ownership
and permission settings:
-rwsr-xr-x 1 root techsup 304001 Apr 26 2000 objspawn
-rwsr-xr-x 1 root techsup 73925 Apr 26 2000 sastcpd
If either the permissions or the ownership of the files are different
from these, then there is no exposure.
The sastcpd spawner installs as part of SAS/Base while objspawn installs
with the SAS/Integration Technologies product. For customers who have
not installed the SAS/Integration Technologies products the only
affected file in the !SASROOT/utilities/bin directory would be sastcpd.
If neither the SAS/Connect nor SAS/Integration Technologies products are
licensed (that is if they do not appear in the setinit.sas file) then
the recommended solution is to simply change the ownership of the
file(s) any non-root ID and to change the permissions to 755 (it may be
necessary to log in as root to make these changes).
Further Explanation:
In order for the SAS applications that need to do userid authentication
to be able to function correctly, the spawner programs must have access
to userid and password information. For this to be granted, it is
necessary for the authentication program to run as a root process. This
can be accomplished by logging in as a root userid and then launching
the spawner program. However, in order for any userid to be able to
launch the spawner executable and still have the spawner run as a root
process, it is nesessary for the ownership and permissions of the
spawner executable to be set as described above.
For customers who wish to have the convenience of being able to launch
these spawners without having to log in as root the following hotfix is
available for download. It has been repaired so that it doesn't have
the security exposure.
Operating System and Release Information
| SAS System | Base SAS | 64-bit Enabled Solaris | 8 TS M0 | 8.2 TS2M0 |
| Solaris | 8 TS M0 | 8.2 TS2M0 |
| ABI+ for Intel Architecture | 8 TS M0 | 8.2 TS2M0 |
| IRIX | 8 TS M0 | 8.2 TS2M0 |
| 64-bit Enabled AIX | 8 TS M0 | 8.2 TS2M0 |
| HP-UX | 8 TS M0 | 8.2 TS2M0 |
| 64-bit Enabled HP-UX | 8 TS M0 | 8.2 TS2M0 |
| Tru64 UNIX | 8 TS M0 | 8.2 TS2M0 |
| AIX | 8 TS M0 | 8.2 TS2M0 |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
| Type: | Problem Note |
| Priority: | low |
| Date Modified: | 2008-02-23 16:32:01 |
| Date Created: | 2001-01-25 09:34:52 |
