topic Re: security in Operating System - HP-UX

security

John Forbes — Tue, 04 Jun 2002 05:57:33 GMT

How can i restrict ordinary users form executing commands in /usr/sbin? I'm running hp-ux 10.20.

Re: security

Michael Tully — Tue, 04 Jun 2002 06:07:18 GMT

Hi,

There are two ways:

The first and most simplest method is to remove the path from either the 'users' .profile or the systems /etc/profile. The second and a little more drastic method is to change the permissions on the programs in /usr/sbin to be '550'. Doing so may cause one or more of your applications to collapse, but it is worthwhile at least testing.

Cheers
Michael

Re: security

U.SivaKumar_2 — Tue, 04 Jun 2002 06:10:22 GMT

Hi,
There are executables which are already secure
in /usr/sbin which can be run only as root.
eg. gated , sendmail
r-xr-xr-x 1 2 bin 995328 Oct 27 1997 /usr/sbin/gated
Still you can use chmod command to set your own
privileges.
#man chmod
regards,
U.SivaKumar

Re: security

Peter Kloetgen — Tue, 04 Jun 2002 06:25:27 GMT

Hi John,

you can take sbin out of PATH for normal users, but this does NOT disable the commands for them! They still can use absolute pathes to get the commands to work:

/usr/sbin/whatever_command

will work....

To prevent all normal users, you have to change permissions on /usr/sbin, using the chmod- command:

chmod -R 550 /usr/sbin

Allways stay on the bright side of life!

Peter

Re: security

John Forbes — Tue, 04 Jun 2002 07:25:16 GMT

i'm also thinking of the same way, to change the permissions, but kind of hesitant so i posted the question. thanks for your responses.

Re: security

harry d brown jr — Tue, 04 Jun 2002 11:29:24 GMT

John,

The best way is to keep users out of shells and into there applications, that way they can't execute squat! Really, the only users who should be allowed into shells, are System Admin's and DBA's - on production machines.

Don't forget that some /usr/sbin commands are links to /sbin and /usr/lbin.

live free or die
harry

Re: security

Steven Sim Kok Leong — Tue, 04 Jun 2002 12:52:51 GMT

Hi,

Setting the correct permissions is the cleanest way to go about restricting.

Apart from permissions, some other methods include:

1) setting ACL (access control lists) for the commands in /usr/sbin. You can restrict only superuser and daemons' access to /usr/sbin etc.

man setacl (for JFS) or man chacl (for HFS) for more information.

2) use chroot to create a virtual root which prevents the user in this virtual root directory from accessing the real /usr/sbin.

man chroot for more information.

3) restrict what your users can do via restricted sam. Restricted sam allows you to limit users to specific scripts or commands. It also allows you to specify which users can run what programs with specific user's (can be another user's) privileges.

man sam for more information.

Hope this helps. Regards.

Steven Sim Kok Leong