topic Re: Lock down /var/spool/sockets/pwgr? in Operating System - HP-UX

Lock down /var/spool/sockets/pwgr?

Trever Furnish — Mon, 16 Sep 2002 15:30:50 GMT

Under HPUX 11.11 (and probably others), we have a directory, /var/spool/sockets/pwgr, which seems to hold only socket files.

All of these sockets are created world-writable. More importantly, the directory itself is world-writable, without having the sticky bit set.

I've cleaned up everything else already, removing the o+w bit from most files and directories that had it, setting the rest to sticky - but I'm not sure of the effect on this particular directory.

Can anyone provide info on that directory and how restrictive the permissions can be or how lax they have to be? I'd really prefer not to leave any world-writable directories or normal files without the sticky bit set.

Re: Lock down /var/spool/sockets/pwgr?

Rodney Hills — Mon, 16 Sep 2002 15:34:31 GMT

This topic came up recently. see-
http://search.hp.com/redirect.html?url=http%3A//forums.itrc.hp.com/cm/QuestionAnswer/1,,0xcc11543254bfd611abdb0090277a778c,00.html&qt=pwgr&hit=1

Generally it has to do with the password/group cache.

-- Rod Hills

Re: Lock down /var/spool/sockets/pwgr?

Anil C. Sedha — Mon, 16 Sep 2002 15:35:44 GMT

Hi,

I believe you should leave the permissions 777 only right now, and change the ownership to root:root.

This will resolve all your issues. Also, the applications should set a sticky bit against their own id's under this directory.

That's what i have on all of my systems.

Regards,
Anil

Re: Lock down /var/spool/sockets/pwgr?

Trever Furnish — Mon, 16 Sep 2002 15:40:43 GMT

Anil,

Setting stuff 777 is exactly what I DON'T want to do - if you have a file mode 777 it doesn't matter who owns it, anyone can write to it. That means any app that can write to /var at all can fill it completely by writing to that directory. It also means that any app can delete the files in the directory, presumably causing negative effects on whatever is using them.

On the other hand, I haven't yet read the link listed above - perhaps that will shed more light on it.

Re: Lock down /var/spool/sockets/pwgr?

Trever Furnish — Mon, 16 Sep 2002 15:44:46 GMT

The linked discussion is enough of an answer, although I'll say in passing that I think it's irresponsible of HP to ship the OS in this state in the first place. Thanks for the info, guys - I'll disable it.