topic Re: links owned by nobody? in Operating System - HP-UX

links owned by nobody?

Ratzie — Fri, 28 Mar 2008 18:53:39 GMT

Just built hp 11.11 and I am running thru the CIS benchmarks.

I have links that are not owned by anybody...
Is this right?
We will fail our security audit on this.

5.3 FIND "UNOWNED" FILES & DIRECTORIES
------------------------------------------------
# find / \( -nouser -o -nogroup \) -print

/opt/VRTSob/jre/bin/.start_xfs
/opt/VRTSob/jre/bin/java
/opt/VRTSob/jre/bin/keytool
/opt/VRTSob/jre/bin/policytool
/opt/VRTSob/jre/bin/rmid
/opt/VRTSob/jre/bin/rmiregistry
/opt/VRTSob/jre/bin/tnameserv
/opt/VRTSob/jre/lib/PA_RISC/hotspot
/opt/VRTSob/jre/lib/PA_RISC/libmawt.sl
/opt/VRTSob/jre/lib/PA_RISC2.0/hotspot
/opt/VRTSob/jre/lib/PA_RISC2.0/libmawt.sl
/usr/obam/jre/bin/javakey
/usr/obam/jre/bin/rmiregistry
/usr/obam/X/bin/X
/usr/obam/X/lib/X11/XKeysymDB
/usr/obam/X/lib/libX11.sl
/usr/obam/server/logs

...
lrwxrwxrwx 1 4484 119 13 Mar 26 15:07 java -> .java_wrapper
lrwxrwxrwx 1 4484 119 13 Mar 26 15:07 keytool -> .java_wrapper
lrwxrwxrwx 1 4484 119 13 Mar 26 15:07 policytool -> .java_wrapper
lrwxrwxrwx 1 4484 119 13 Mar 26 15:07 rmid -> .java_wrapper
...

Re: links owned by nobody?

James R. Ferguson — Fri, 28 Mar 2008 19:01:44 GMT

Hi:

The ownership and permissions of symbolic links don't matter. It's the ownership and permissions of the object to which they point that is important.

Tell your auditors to find another concern.

You can use 'chown -h' to fix the ownership of the links if you wish.

Regards!

...JRF...

Re: links owned by nobody?

Patrick Wallek — Fri, 28 Mar 2008 19:32:14 GMT

You should really amend your find. If you want to follow the letter of the benchmark, then you should be doing:

Find unowned directories
# find / -type d \( -nouser -o -nogroup \) -print

Find unowned files
# find / -type f \( -nouser -o -nogroup \) -print

As James said, the permissions of a link is really irrelevant. If you really want to get technical, the auditors would also complain about the permissions on the link since they are '777'.

Re: links owned by nobody?

Dennis Handly — Fri, 28 Mar 2008 23:29:08 GMT

>JRF: The ownership and permissions of symbolic links don't matter.

Right.

>Tell your auditors to find another concern.

Unfortunately we had to make a patch to fix some links on 11.23 because it was mentioned that if that user was removed from the system, the links could be removed.

>Patrick:
>Find unowned directories
>Find unowned files

Rather than waste time doing two finds, you can combine them:
# find / \( -type f -o -type d \) \( -nouser -o -nogroup \)

Or probably more correctly to find evil sockets:
# find / ! -type l \( -nouser -o -nogroup \)

>auditors would also complain about the permissions on the link since they are 777.

They may be just smart enough to know that. And that would occur on other OSes but probably not those unowned links.

Re: links owned by nobody?

Ratzie — Sat, 29 Mar 2008 19:13:57 GMT

Actually, CIS benchmarks should modify the HP benchmarks.
It's unfortunate that HP/Opsware uses these benchmarks directly for their audits.

So we will continue to fail on these audits, until they modify this.

Re: links owned by nobody?

Dennis Handly — Sun, 30 Mar 2008 09:22:32 GMT

>It's unfortunate that HP/Opsware uses these benchmarks directly for their audits.
>So we will continue to fail on these audits, until they modify this.

Have you contacted the owners of /opt/VRTSob and /usr/obam so they can fix the problem?