|Applies To||RSA ACE/Server 5.0.2 (no longer supported as of 8-15-2004)|
RSA ACE/Server 4.1 (no longer supported as of 2-1-2004)
UNIX (AIX, HP-UX, Solaris)
This hot fix removes the setuid bit from the files in ace/prog directory. Also, it changes the permissions on root-owned files in ace/prog like _aceserver_be.
Progress Vulnerability Security Fix
|Issue||RSA ACE/Server does not start after applying the Progress Database Vulnerability hot fix|
Error: "Failed to open or create sdserv.lg" appears when sdconnect start command is run
New security hot fix sets file permissions incorrectly. For example, it sets database files to read only. ACE/Server does not start until the file permissions are set back to the original values.
|Cause||File permissions set incorrectly in hot fix file|
|Resolution||The hot fix is available for ACE/Server v4.1 and ACE/Server v5.0 as well as later versions. If the hot fix has already been applied and ACE/Server does not start, change the file permissions as described below: 1. After applying the hot fix, change the file permissions on database files: #cd //ace/data #chmod 660 sdserv.* #chmod 660 sdlog.* setuid bit on the files in ace/prog directory 2. If the hot fix has not been downloaded, FTP the correct version of files from FTP site or edit the sdsetup script (file in hot fix) as mentioned below: Wrong script: cd $VAR_ACE if [ "$OWNERNAME" = "root" ] ; then "$CHMOD_EXEC" 400 sdserv.* > /dev/null 2>&1 "$CHMOD_EXEC" 400 sdlog.* > /dev/null 2>&1 else "$CHMOD_EXEC" 440 sdserv.* > /dev/null 2>&1 "$CHMOD_EXEC" 440 sdlog.* > /dev/null 2>&1 Change to: cd $VAR_ACE if [ "$OWNERNAME" = "root" ] ; then "$CHMOD_EXEC" 600 sdserv.* > /dev/null 2>&1 "$CHMOD_EXEC" 600 sdlog.* > /dev/null 2>&1 else "$CHMOD_EXEC" 660 sdserv.* > /dev/null 2>&1 "$CHMOD_EXEC" 660 sdlog.* > /dev/null 2>&1 Note: The corrected version of hot fix can be downloaded from ftp.rsasecurity.com for ACE/Server 4.1 and ACE/Server 5.0. Note: RSA Security has recently released this hot fix to address the progress vulnerability. RSA Security strongly recommends customers to restrict the execute permissions of all Progress executables delivered with ACE/Server to a group of administrative users. To facilitate this, RSA Security has updated the sdsetup script to implement the restrictive permissions. The command 'sdsetup -config', when run on the ACE/Server, restricts execute permissions for Progress executables to members of the "aceserver fileowner" group. RSA Security is not aware of any security breaches that have occurred as a result of this vulnerability.|
|Legacy Article ID||a11617|