topic Re: World writable files after default HP-UX 11.11 install in Operating System - HP-UX

World writable files after default HP-UX 11.11 install

Sonny_8 — Thu, 30 Jan 2003 10:24:33 GMT

Hi All,
Is there any OS files that needs (really mandatory!) to be world writable in the unix system after a "default" installation?

This is a security-related question. Indeed, if some files NEEDS to be world writable then how to prevent any user to modify this/these file(s) and impact the system.

Thanks in advance for your help,
Regards,
Nicolas

Re: World writable files after default HP-UX 11.11 install

James R. Ferguson — Thu, 30 Jan 2003 10:38:21 GMT

Hi Nicolas:

Certainly one thing you can/should tighten immediately is the ability for anyone to delete files from the '/tmp', '/var/tmp', and 'usr/local' directories regardless of whether or not they are the owner.

To correct this, set the sticky bit on the directory. This will prevent a file's non-owner from deleting it, while allowing anyone write access to the directory and the ability for the file's owner to delete.

By example:

# chmod 1777 /tmp

Regards!

...JRF...

Re: World writable files after default HP-UX 11.11 install

Sonny_8 — Thu, 30 Jan 2003 11:01:50 GMT

Thanks for this advice JRF,
Will do that.
Rgds,
Nicolas

Re: World writable files after default HP-UX 11.11 install

F. X. de Montgolfier — Thu, 30 Jan 2003 13:14:20 GMT

Hi Nicolas,

you might want to read http://people.hp.se/stevesk/bastion11.html,
which explains how to "build a bastion host using HP-UX 11", and especially its chapter 9: "file permissions".

Basically, what they do is remove write permissions systemwide, then:
# chmod 1777 /tmp /var/tmp /var/preserve
# chmod 666 /dev/null

Notice the use of the sticky bit for the public directories...

Cheers,

FiX

Re: World writable files after default HP-UX 11.11 install

Steven E. Protter — Thu, 30 Jan 2003 13:43:38 GMT

You would probably benefit from using the Bastille tool

It lets you know what's world writeable and really should not be. security_patch_check also does a cursory analysis.

Here are links.

Bastille

https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6849AA&date=

security_patch_check

https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6834AA&date=

If you are really into security you should consider running crack against your password file in a test environment(ftp it in) and the saint system probe utility.

This toolset will really help you lock things down.

P

Re: World writable files after default HP-UX 11.11 install

Bill Hassell — Thu, 30 Jan 2003 18:58:01 GMT

World writable files? Probably none in the OS files. World writable directories: yes but with caveats: /var/tmp and /tmp need to be world writable but I would set the sticky bit as in chmod 1777 /tmp so that only owners of files can remove or rename them. Without this bit, anyone can remove or rename any file in that directory.

Additionally, all standard HP-UX installs have bad permissions on /usr/local directories. Warnings to this effect are contained in several places but the default install still leaves /usr/local directories as 777. They MUST be changed to 755 on every machine.

If you install any of the OpenView products such as node manager, then there will be a massive number of wide open directories and files in places like /etc...these will have to be fixed to prevent problems in the future.

Re: World writable files after default HP-UX 11.11 install

Nicolas Moulin_1 — Thu, 13 Feb 2003 04:23:33 GMT

Hi,

Well thanks a lot to all of you who have responded to my question. I really appreciate your support.

Each information that you have provided has been very useful to me (ie. doc "build a bastion host using HP-UX 11", Security_patch_Check and Bastille, etc..)

No doubt it could certainly help other people as well.

This is really a great forum and community.

Regards,
Nicolas