topic Re: Stickybit Configuration on HP-UX 11.23 in Operating System - HP-UX

Stickybit Configuration on HP-UX 11.23

apple — Thu, 15 Nov 2007 06:55:55 GMT

Dear HP-UX Gurus,
I heard that our operators can shutdown server by not using our root id. It can behave like the root to shutdown the server by configuring the shutdown file as sticky bit file. but i just don't know how can i do this.. which shutdown file to set? please helppp. Hope to hear from you. Thank you.
-Finas-

Re: Stickybit Configuration on HP-UX 11.23

Dennis Handly — Thu, 15 Nov 2007 07:01:32 GMT

>I heard that our operators can shutdown server by not using our root id.

Yes, see shutdown(1M) and /etc/shutdown.allow.
The sticky bit is only needed on the executable.

Re: Stickybit Configuration on HP-UX 11.23

apple — Thu, 15 Nov 2007 07:05:52 GMT

I don't really understand high level technical language. would really appreciate you can guide me with example. Many thanks in advance
I promise of good points.:)

Re: Stickybit Configuration on HP-UX 11.23

Robert-Jan Goossens — Thu, 15 Nov 2007 07:12:46 GMT

Hi Fanas,

Create a file called /etc/shutdown.allow
# vi /etc/shutdown.allow
root server_name
user server_name
:wq
# chmod 400 /etc/shutdown.allow

Chane the "user" and "server_name" into the desired user and your system name.

Regards,
Robert-Jan

Re: Stickybit Configuration on HP-UX 11.23

Dennis Handly — Thu, 15 Nov 2007 07:16:42 GMT

>I don't really understand high level technical language.

I just said read the shutdown man page. It discusses the file /etc/shutdown.allow, which you can add other user IDs.
http://docs.hp.com/en/B2355-60130/shutdown.1M.html

Or:
$ man 1m shutdown

Re: Stickybit Configuration on HP-UX 11.23

Ivan Krastev — Thu, 15 Nov 2007 07:20:22 GMT

If you want more than 'shutdown' install and configure SUDO.

regards,
ivan

Re: Stickybit Configuration on HP-UX 11.23

apple — Thu, 15 Nov 2007 07:23:12 GMT

where is the sticky bit?
do we have to change the file permission to sticky bit?
I found this example:
Use a stickybit so that only owner of the file will be able to delete the file.

Set the basic permission
#chmod 766

After that

#chmod u+t ( Sticky bit )

After setting stickybit the permissions can be viewed as follows.

-rwxrw-rwT 1 root sys 1276 Jul 12 2002 xyz

Huhuh. I confuse now. I heard with sticky bit on the shutdown file, the operator login to the server using operator id but can perform shutdown when execute the shutdown file. Please englighten me...

Re: Stickybit Configuration on HP-UX 11.23

Robert-Jan Goossens — Thu, 15 Nov 2007 07:31:59 GMT

Hi Finas,

No need to set the sticky bit on the shutdown executable, the shutdown.allow file is enough.

Regards,
Robert-Jan

Re: Stickybit Configuration on HP-UX 11.23

Dennis Handly — Thu, 15 Nov 2007 07:36:07 GMT

>Robert-Jan: No need to set the sticky bit on the shutdown executable

More correctly, the bit IS already set, otherwise shutdown.allow won't work.

Re: Stickybit Configuration on HP-UX 11.23

James R. Ferguson — Thu, 15 Nov 2007 07:53:22 GMT

Hi:

> The sticky bit is only needed on the executable.

It is NOT the sticky bit that is set on '/sbin/shutdown'. It is the 'setuid' bit.

When set, a non-owner of the executable who runs the executable runs it with the same effective user-id as the owner. For example, if 'shutdown.allow' is configured to allow user "finas" to shutdown a server, then when "finas" runs 'shutdown' his/her effective uid is 'root', because the SETUID bit is set and the executable file is owned by 'root'.

Please see the 'chmod(1)' and 'chmod(2)' manpages for more information.

When you configure '/etc/shutdown.allow' be sure to include 'root' along with your aother users. For example:

myserver1 root
myserver1 finas

The manpages for 'shutdown(1M)' document the use of this file, as noted.

Regards!

...JRF...
'

Re: Stickybit Configuration on HP-UX 11.23

Srikanth Arunachalam — Thu, 15 Nov 2007 07:59:35 GMT

Hi,

Plz see the definition of sticky bit in simple terms.

The â Sticky Bitâ is a permission bit that can be set on either a file or a directory.

If it is set on a file, then that file will remain in memory after execution, thus â stickingâ in memory. This is useful when running a multi-user program (such as a bulletin board system that I ran once) to make the program execute faster for the next user. This was a common programming tactic earlier in the history of computer programming when speed and disk space were at a premium.

If the sticky bit is set on a directory, only the owner of files in that directory will be able to modify or delete files in that directory - even if the permissions set on those files would otherwise allow it.

It executes from user and behaves as it executing from the root

Thanks,
Srikanth

Re: Stickybit Configuration on HP-UX 11.23

apple — Fri, 16 Nov 2007 06:20:05 GMT

If the shutdown.allow is set as such a way:
-rwxrw-rwT 1 root sys 1276 Jul 12 2002 shutdown.allow

How does it works and affect the owner, group and other permission??? would it be better for the security of the file.
in what case and files are we really recommended to use this sticky bit.
happy to read your respond, technical and excellent

Re: Stickybit Configuration on HP-UX 11.23

Dennis Handly — Fri, 16 Nov 2007 06:32:20 GMT

>If the shutdown.allow is set as such a way:
-rwxrw-rwT 1 root sys

The sticky bit should not be set (probably doesn't matter) nor should the file be writable to everyone. Nor should the data file be executable. Change to 644.

>in what case and files are we really recommended to use this sticky bit.

As JRF corrected, it is the SUID bit on the shutdown executable that does the work.

Re: Stickybit Configuration on HP-UX 11.23

James R. Ferguson — Fri, 16 Nov 2007 08:50:07 GMT

Hi (again):

> in what case and files are we really recommended to use this sticky bit.

For FILES, setting the 'sticky' bit (which when set shows as "t" or "T") in the mode listing, is really only meaningful for executable files. The idea is that the text (code instructions) of an executable file will be left in swap space when the process represented by the executable file terminates. This is supposed to lead to a faster startup of a new process when a new user executes the same file.

For files that are not executables (code) the sticky bit has no meaning.

For DIRECTORIES, setting the 'sticky' bit for the DIRECTORY adds a certain security to the FILES within. When set for a directory, files in that directory can only be removed or renamed by their *owner* of the file; the owner of the directory or, of course, by the 'root' user.

Lastly, you will encounter the 'sticky' bit set on certain symbolic links (notably '/bin' and '/lib'. This is a special setting called a "transition link". Transition links are really just symbolic links established with a special utility called "tlinstall'. They appeared during the transition from HP-UX 9x to HP-UX 10.0 when the layout of the Unix filesystems were redrafted.

If you are interested in that history, see this document:

http://docs.hp.com/en/5963-8942/index.html

Regards!

...JRF...

Re: Stickybit Configuration on HP-UX 11.23

Sp4admin — Fri, 16 Nov 2007 09:09:53 GMT

The forum has spoken!

just create the shutdown.allow file and you and make the needed entry and you should be to go. It's also a good idea to read the man page to get a better understanding.

sp,

Re: Stickybit Configuration on HP-UX 11.23

apple — Sun, 18 Nov 2007 21:32:08 GMT

Thanks a lot Gurus. :)