topic HP-UX 11.0 security problem in Operating System - HP-UX

HP-UX 11.0 security problem

Vinu Neelakandhan — Fri, 03 Aug 2001 11:09:36 GMT

When I am trying to login to one of the servers (on which Medusa is installed), it gives the following error messages :

---------------------------
[KQ#root]/root/home/root > su - testVN01
setgroups: Not owner
setgroups: Not owner
su: Unable to initialize group access list
[KQ#root]/root/home/root >
[KQ#root]/root/home/root > su - oracle
setgroups: Not owner
setgroups: Not owner
su: Unable to initialize group access list
[KQ#root]/root/home/root > su - testrv
su: Invalid ID
[KQ#root]/root/home/root > pwget |grep testrv
testrv:7d6kZH3vbpyvQ,O.9M:5905:205:SystemTester Ravi BH,TMD,x16497,:/home/testrv:/usr/bin/ksh
[KQ#root]/root/home/root > pwget |grep -E 'ora|test'
oracle:Mfw7In06a27s6:8801:101:,,,:/opt/app/oracle/product/8.0.6:/usr/bin/ksh
testrv:7d6kZH3vbpyvQ,O.9M:5905:205:SystemTester Ravi BH,TMD,x16497,:/home/testrv:/usr/bin/ksh
[KQ#root]/root/home/root > login oracle
Password:
Unable to set uid/gid
Connection closed by foreign host.
vinu-hpsgnru:/home/vinu>
------------------------------
Any clues as to the reason for this behaviour would be appreciated.

Re: HP-UX 11.0 security problem

John Payne_2 — Fri, 03 Aug 2001 13:48:39 GMT

Bastian:jjp /etc/default# man setgroups
Reformatting entry. Wait... done

setgroups(2) setgroups(2)

NAME
setgroups - set group access list

SYNOPSIS
#include

int setgroups(int ngroups, const gid_t *gidset);

DESCRIPTION
setgroups() sets the group access list of the current user process
according to the array gidset. The parameter ngroups indicates the
number of entries in the array and must be no more than NGROUPS_MAX,
as defined in .

Only super-user can set new groups by adding to the group access list
of the current user process; any user can delete groups from it.
RETURN VALUE
Upon successful completion, setgroups() returns 0; otherwise it
returns -1 and sets errno to indicate the error.

ERRORS
setgroups() fails if any of the following conditions are encountered:

[EPERM] The caller is not super-user and has attempted to
set new groups.

[EFAULT] The address specified for gidset is outside the
process address space. The reliable detection of
this error is implementation dependent.

[EINVAL] ngroups is greater than NGROUPS_MAX or not
positive.

[EINVAL] An entry in gidset is not a valid group ID.

AUTHOR
setgroups() was developed by the University of California, Berkeley.

I have never had this problem or tried this, but here is a post in the tech. knowledge base:
PROBLEM
su command as non root user returns:
setgroups: Not owner
su: unable to initialize group access list.
RESOLUTION
/etc/passwd, /usr/bin/login, & /usr/bin/su are 755
Changed them to 4555 to get the suid bit set.
/etc/group is bin bin, should be root sys

Hope it helps...

Re: HP-UX 11.0 security problem

linuxfan — Fri, 03 Aug 2001 15:23:28 GMT

Hi Vinu,

The errors your are seeing of "setgroups: Not owner" are being seen because of incorrect permission for the /usr/bin/su and /usr/bin/login executables. Make sure /usr/bin/su and /usr/bin/login are owned by user "root" and group "bin" and permissions are -r-sr-xr-x (4555).
To change the permissions do a (as root)
chmod 4555 /usr/bin/su
chmod 4555 /usr/bin/login

-HTH
I am RU