topic Re: User sercurity issue in Operating System - HP-UX

User sercurity issue

Hoang Chi Cong_1 — Tue, 27 Dec 2005 02:39:37 GMT

Hi all,
I have a question, seems tradition question but I don't how to solve it now....

The question is:
I want prevent unauthorize user's permission.
For example:
There are 20 users in my system: user1, user2...user20.
Each user belong to a group. for example: group1, group 2...group20.

So how to prevent unauthorize access between these user?( delete file, change owner, change file content, remove file, remove dir....etc......?
In my system, event the user A in group operator still can delete or do any operation with files and directorys that own by user B in group dba.
I'am really stuck...
Please helps

Thanks in advance.
Hoang Chi Cong

Re: User sercurity issue

RAC_1 — Tue, 27 Dec 2005 02:46:26 GMT

Set the sticky bit on the dirs.
chmod 1777 /dir_user1 and so on.

Re: User sercurity issue

Arunvijai_4 — Tue, 27 Dec 2005 02:50:14 GMT

1) Setting up umask such that, all files and dirs have only read permission for others.

2) Sticky bit to directories.

-Arun

Re: User sercurity issue

Raj D. — Tue, 27 Dec 2005 02:53:19 GMT

Hi Cong ,

To restict other group memebers not to access/delete the files , you can set permission also , remove from the group & other field.

-rwxr--r-- : Read only/not writable for group and others.
-rwx------ : No Read no write for group and others.

Check also the ownership and group membership on those file(s)/dir(s).

Cheers,
Raj.

Re: User sercurity issue

Raj D. — Tue, 27 Dec 2005 03:00:23 GMT

Hi Cong(agian),

you can also check this link to get an idea about understanding unix permissions:

Understanding UNIX permissions :

1. http://www.zzee.com/solutions/unix-permissions.shtml

2. http://www.perlfect.com/articles/chmod.shtml

3. http://www.library.yale.edu/~lso/workstation/docs/permissions/

Hope this helps,

hth,
Raj.

Re: User sercurity issue

Hoang Chi Cong_1 — Tue, 27 Dec 2005 03:32:48 GMT

Thanks all,

To RAC: I don't like to set the sticky bit because it may dangerous...HP-UX just C2 security level :( (Just in trusted mode) but my server doens't run in trusted mode.

To Arunvijai: How to set the umask?

Each user has a big number of files and directorys.

To Raj D. :
I have tried this solution before but nothing change! The other user still can delete the file that not own!

Any idea?

Hoang Chi Cong

Re: User sercurity issue

Raj D. — Tue, 27 Dec 2005 03:40:24 GMT

Hi Cong ,

If other users still able to delete the files after setting he proper permission , seems some problem. Have you set any other permission like acl. You can check # lsacl filename

You can again check with chmod .

You can remove existing permission from dir(s) and file(s) using chmod and give a try:

# chmod go-rwx file_name
(also check the files owner and group membership)
# try deleting and check.

You can check the users primary and other group membership using # id username.

cheers,
Raj.

Re: User sercurity issue

Hoang Chi Cong_1 — Tue, 27 Dec 2005 03:52:18 GMT

Hi

Here is output when I make a example follow your hint:

<>ll
total 200
-rwx------ 1 osst dba 49208 May 12 2005 UBBCONFIG.050511
-rwx------ 1 osst dba 49208 Dec 27 15:46 tmp.txt
<>id
uid=103(osst) gid=102(dba)

<>lsacl tmp.txt
lsacl: file "tmp.txt": Function is not available (errno = 251)

-------------------------------------

<>id
uid=105(kibs) gid=103(opr)
<>ll
total 200
-rwx------ 1 osst dba 49208 May 12 2005 UBBCONFIG.050511
-rwx------ 1 osst dba 49208 Dec 27 15:46 tmp.txt
<>rm -f tmp.txt
<> --->can delete!

Thanks
Hoang Chi Cong

Re: User sercurity issue

Arunvijai_4 — Tue, 27 Dec 2005 03:54:15 GMT

Hello,

You can just set umask to every user in their profile by editing .profile
umask=022 (default)

-Arun

Re: User sercurity issue

Hoang Chi Cong_1 — Tue, 27 Dec 2005 04:04:29 GMT

Hi Arunvijai

I have just done.
Very strange: nothing change even add umask=022 in .profile file :(:(

Re: User sercurity issue

Raj D. — Tue, 27 Dec 2005 04:05:10 GMT

Hi Cong,
Looks strange though , Can you also check user osst is member of which groups.
Also if u create a new file , what permission it gets by default.

hth,
Raj.

Re: User sercurity issue

Hoang Chi Cong_1 — Tue, 27 Dec 2005 04:15:59 GMT

Hi

The osst user is member of "dba" group only. The kibs user is memner of "opr" group only.

When I create a new file, the permission is 666:
-rw-rw-rw- 1 osst dba 75 Dec 27 16:12 newfile.txt

Thanks again

Re: User sercurity issue

Arunvijai_4 — Tue, 27 Dec 2005 04:20:12 GMT

Hi Cong, When you have 666 permission, anyone can delete it. You need to set the umask to appropriate value. Check # man umask for more details.
UMASK Values
============
0400 ( a=rwx,u-r) Read by owner
0200 ( a=rwx,u-w) Write by owner
0100 ( a=rwx,u-x) Execute (search in directory) by owner
0040 ( a=rwx,g-r) Read by group
0020 ( a=rwx,g-w) Write by group
0010 ( a=rwx,g-x) Execute/search by group
0004 ( a=rwx,o-r) Read by others
0002 ( a=rwx,o-w) Write by others
0001 ( a=rwx,o-x) Execute/search by others

-Arun

Re: User sercurity issue

Arunvijai_4 — Tue, 27 Dec 2005 04:23:44 GMT

A very good link about umask,

http://www.unix.org.ua/orelly/networking/puis/ch05_03.htm

-Arun

Re: User sercurity issue

Raj D. — Tue, 27 Dec 2005 04:23:47 GMT

Cong,

Well ,

The id shows that the user is kibs and kibs is member of group "opr" group only.

But when you created a new file see the ownership of the file becomes ostt and group becomes dba.

"When I create a new file, the permission is 666:
-rw-rw-rw- 1 osst dba 75 Dec 27 16:12 newfile.txt "

Hence you are able to delete the files owning by ostt , and group dba.

check who else are member of opr group.
# cat /etc/group | egrep -i '(opr|dba)'

Also check # who am i , from logging from kibs.

Seems there is some group & membership issues,

hth,
Raj.

Re: User sercurity issue

Hoang Chi Cong_1 — Tue, 27 Dec 2005 04:30:32 GMT

sorry for my bad explain!

That file was creare under osst user right!
- Fisrt, login with osst user then create the newfile.txt
- Then I change the file's permission from 666 to 700.
- Login with kibs user and try to delete this file----> can delete it!

Re: User sercurity issue

Hoang Chi Cong_1 — Tue, 27 Dec 2005 04:37:43 GMT

<>cat /etc/group | egrep -i '(opr|dba)'
dba::102:
opr::103:

------

<>who am i
kibs pts/tc Dec 27 16:34

Please helps

Re: User sercurity issue

Raj D. — Tue, 27 Dec 2005 05:05:43 GMT

Cong,

well groups looks good.

When you are creating a file from the user: kibs , whats the permission are u getting.

Login; kibs
pw: **

# touch abc
# ls -l abc

hth,
Raj.

Re: User sercurity issue

Raj D. — Tue, 27 Dec 2005 05:06:14 GMT

Cong,

well groups looks good.

When you are creating a file from the user: kibs , whats the permission are u getting.

Login; kibs
pw: **

$ touch abc
$ ls -l abc
(it should be $, nor # as its a normal user)

hth,
Raj.

Re: User sercurity issue

RAC_1 — Tue, 27 Dec 2005 05:07:13 GMT

you are missing one important point here. the ability to delete a file does not have anything to do with perms of a file. It depends upon the perms of the directory under which that file lies. so if user has write perms to directory, he can delete files under that directory whether he has write perms to file or not.