topic Re: su set to public executable in Operating System - HP-UX

su set to public executable

OzTEXS — Sun, 02 May 2004 19:37:27 GMT

hi all,

just looking through our audit report and it seems our "su" command is set to public executable, which is a audit breech.

my question is, if the attributes of su are
"-r-sr-xr-x" how can I change this so its no longer public executable.

We are running HP-UX v11.0 ?

Kind Regards,
oz

Re: su set to public executable

Procnus — Sun, 02 May 2004 20:57:18 GMT

My first thought is that you don't want to change the execute permissions. If you remove execute permissions for all you won't be able to su to root from a normal user login. That could cause problems in future. I'd leave it alone.

Steven

Re: su set to public executable

OzTEXS — Sun, 02 May 2004 21:23:21 GMT

I want to leave it alone however, according to auditors its a security breech. Here are the auditors comments.

" The su command was set to public executable, with the result that account hacking by any users using this command would not be subject to intruder lockout."

I was thinking chmod 4550 may do the trick ?

Cheers,
oz

Re: su set to public executable

Michael Tully — Sun, 02 May 2004 21:39:07 GMT

I'd recommend you leave it alone. The 'su' binary is used by a number of items, especially scripts and many applications. I've never seen any auditing requirement in 20 years of IT that has stipulations like this. I would be getting these auditors to sign off on doing this making it there responsibility. I would never remove this access without questioning it quite strongly and even then if your system falls apart by not been able to administer it properly make sure your managment know who are the guilty party. Each use of 'su' is logged into the /var/adm/sulog in any case for auditing successful and unsuccessful. The best way of typing up passwords is to change them frequently using either (man4 password) or by setting your system to trusted. You could also implement 'sudo' particularly for sys admins.

Re: su set to public executable

Michael Tully — Sun, 02 May 2004 21:48:51 GMT

I've read the comments from your auditors ....

The safeguard in the 'su' program is that any account other than root, requires a password to continue. Changing it can render your system useless. I would rather have the 'su' command open for use with the ability to make sure that a password is entered, rather than be able to log in as root directly. Changing it to 4550 is no good either. Is your system going to get hacked internally in your own company?? If you have the system in a DMZ for example (out in internet land) there are far better ways to secure your system.

Re: su set to public executable

Sanjay_6 — Sun, 02 May 2004 21:51:00 GMT

Hi,

Su command has to be world executable. There is no beating around the bush with that. Do your auditors know what they are auditing and the impact in demanding things like this. Looks like this is their first experience with this kind of auditing.

Hope this helps.

Regds

Re: su set to public executable

Bill Hassell — Sun, 02 May 2004 21:55:20 GMT

The purpose of su is to allow an ordinary user to gain access to another account (including root). To disable public execution rights essentially disables the command for all but root. This could seriously disable your applications if they use su (like Oracle scripts).

However, the implication that users could launch attacks without a lockout is not correct for patched versions of HP-UX. Repeated su attempts will lockout any target account, just like telnet attacks. su will not provide the attacker with any feedback that the account was disabled. su uses PAM for authentication just like login/passwd.

Re: su set to public executable

OzTEXS — Sun, 02 May 2004 21:57:37 GMT

Thanks all,

i have sent an email to our head office admins to ask what they have their su command set at. this will give me an indication on how they have there system setup.

Awaiting reply ....