topic Re: YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET! in Operating System - HP-UX

YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!

Sreenivas_1 — Wed, 01 Jan 2003 04:52:06 GMT

Hi I am trying to run some PERL script.
The file permissions are uesr1:group1 with 2500.
If i am running the script as user1 i am not getting any error. If i try to run this script the following error message is coming:
"YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!
FIX YOUR KERNEL, PUT A C WRAPPER AROUND THIS SCRIPT, OR USE -u AND UNDUMP! "

Please let me know what to be done to get rid of the above error message.

Re: YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!

Steven E. Protter — Wed, 01 Jan 2003 06:21:18 GMT

That script has security code in it and is pointing out a security flaw in your system.

If it means setuid, suid, its a program like passwd that gives temporary root access.

If you do this to the wrong proram, you might as well let the nefarious hacker drive an M1A1 Abrams tank through your system.

You need a thorough secuirty review on this system.

I'd start with security_patch_check a free utility from hp.

For a more thorough review, try Bastille, an open source port, also available from HP.

It will tune up your system rather nicely.

I do not believe your message is coming from the os, I think its coming from the script. You might want to read it, even post it up here.

Re: YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!

Patrick Wallek — Wed, 01 Jan 2003 07:06:10 GMT

Stephen is correct, that message is definitely NOT coming from HP-UX. Have a look at the PERL script itself and I can almost guarantee that you will see that message in the script somewhere.

If I saw that message, I would then inspect that script VERY VERY CLOSELY to make sure it is doing what you think it is doing as the programmer doesn't know HP-UX very well.

The clue is the "SET-ID". The correct term is SETUID scripts. Also, there is no way I know of to disable setuid scripts in the "kernel". It can be done via /etc/fstab options, but not via the kernel itself.

I personally would not trust this script at all. Just reading that message gives me a funny feeling that something may be going on with the script that you do not know about. Maybe I'm just paranoind, but aren't we, as sys admins, paid to be?

Re: YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!

Rajeev Shukla — Wed, 01 Jan 2003 07:35:01 GMT

This definately is not HPUX error. It looks like you are running some security program which is interfering from setting GID(SET-GID). Because i cant see disabling SET-ID in Kernel, because if you disable that no one would be really able to login into the system.

Rajeev

Re: YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!

Sreenivas_1 — Wed, 01 Jan 2003 08:41:09 GMT

Hi, It is not coming from the OS and also not part of the perl script. It is thrown by the PERL interprter itself. This can be seen by man. man perldiag.

Thanks
Sreenivas.