topic Re: pwgr in Operating System - HP-UX

pwgr

lastgreatone — Mon, 28 Oct 2002 20:45:13 GMT

I was not aware of this daemon until now. And noticed it is set to 1 /etc/rc.config.d/pwgr. All NIS services are disabled on this internet server. I have set pwgr to 0, could it have any negative impact on the server? I was concerned about the security on this server.

Re: pwgr

A. Clay Stephenson — Mon, 28 Oct 2002 20:46:27 GMT

The pwgrd daemon is used to cache logins and groupnames to speed those lookups. It's really not a security risk. If you have applications which require many, many passwd file/map lookups then you could see some small performance hit especially if you have a very large passwd file or map. Login lookups linearly search the file so search times can be quite long if the file is large.

Re: pwgr

Michael Tully — Mon, 28 Oct 2002 20:51:05 GMT

No 'pwgr' is not a security risk.
To check if you system is secure, you could install HP-UX bastille. You can get it from here:

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

Or you could look at the bastion white paper.
http://people.hp.se/stevesk/bastion11.html

Re: pwgr

Tim Maletic — Fri, 01 Nov 2002 15:00:59 GMT

If this is an Internet-facing server, and you're not looking up /etc/passwd or /etc/group info from the network (i.e., if your passwd and group lines in /etc/nsswitch.conf say "files"), then I would disable that daemon.

While pwgrd has no known vulnerabilities now, it might in the future (or it might now contain vulnerabilities known only to a few). Disable it if you don't need it.

This is also the recommendation of the Center for Internet Security's HP-UX Benchmark: http://www.cisecurity.org/bench_HPUX.html.

-Tim