SOFTPAQ NUMBER: SP25793 PART NUMBER: N/A FILE NAME: Windows_Storage_Server_2003-KB838238.msi TITLE: StorageWorks NAS SetUID/SetGID fix VERSION: 1.0.0.0 LANGUAGE: English CATEGORY: Fix DIVISIONS: NSS PRODUCTS AFFECTED: StorageWorks NAS 1200s StorageWorks NAS 2000s StorageWorks NAS 4000s StorageWorks NAS 9000s OPERATING SYSTEM: Windows Storage Server 2003, NAS OS versions 4.0a, 4.0b, 4.0c, 4.1, 4.2 SYSTEM CONFIGURATION: All configurations PREREQUISITES: none EFFECTIVE DATE: Apr 23, 2004 ELECTRONIC DISTRIBUTION ALLOWED: Yes SOFTPAQ UTILITY VERSION: 5.x SUPERSEDES: N/A DESCRIPTION: This softpaq provides a patch for Windows Storage Server 2003. Enhancements/Fixes: Corrects the following Microsoft issue: Knowledge Base Article 838238 The issue with bit masking As a result of the Microsoft Trustworthy Computing Initiative, Server for NFS has been changed to fix a known security issue in UNIX. The bit masking in Server for NFS occurs only if the file or directory has both of the following characteristics: One or both of the following bits is set: setgid or setuid. The file or directory is group writable, or group executable, or world writable, or world executable. The situation is exploited when an intruder overwrites the binary with a Trojan horse, and then executes the binary. The binary runs with the rights of the owner, instead of running as the intruder. Some customers may find this security update problematic because the security update is different from the typical behavior of UNIX, although the typical behavior of UNIX is not specified in the Network File System (NFS) Request for Comments (RFC) 1813. Disable safe bit masking By default, safe bit masking is enabled. To disable the safe bit masking, add or modify the following registry value: HKEY_LocalMachine\System\CurrentControlSet\Services\NfsSvr\Parameters\SafeSetUidGidBits = (DWORD) 0 This registry value controls whether the setuid bit and the setgid bit are masked for security reasons. Settings for this registry value may be as follows: The default data for this registry value is 1. A value of 1 causes the bits to be masked out for security reasons. A value of 0 causes the standard UNIX behavior. This hotfix also turns off bit masking for the setuid bit and the setgid bit for directories because directories cannot be executed. Note: The Server for NFs service will need to be restarted when toggling the registry values. HOW TO USE: Install Directions: 1. Create a directory on the machine. Download the SoftPaq to that directory. The file downloaded is a self-extracting executable with a filename based on the SoftPaq Number above. 2. Execute the downloaded file and follow the on-screen instructions. Press "SpaceBar" to confirm the unpacking of files into the download directory. A directory named after the softpaq will be created containing the files. 3. After the files have been unpacked, you may delete the self-extracting file downloaded in step 1. 4. To load the patch to the server, navigate to c:\SP25793. Run the file Windows_Storage_Server_2003-KB838238.msi by double-clicking it. Follow the on-screen instructions. No reboot is required. 5. After the installation is completed, you may delete the files unpacked in step 2. Copyright 2004 HP Corporation. All rights reserved. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies.