- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Root PATH shares writable path with users
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2010 09:09 AM
тАО02-02-2010 09:09 AM
Root's PATH is set as
PATH=/usr/sbin:/sbin:/root:$PATH
I would like to clean up root's PATH so that this security problem is fixed. However, I am worried by removing "$PATH" from root's profile will cause software/programming problems (and I would prefer not to have to copy everything into root's profile and then have to remember to edit it every time a program change is made)
The options I am seeing are:
1. Edit root's PATH to exclude $PATH, include what is needed from /etc/PATH, and try to keep it up-to-date
2. Edit each users' PATH and remove the questionable path from /etc/profile (the questionable path is set in /etc/profile, not /etc/PATH). Obviously a long and painful process.
In either case, it looks like I would need to take it out of /etc/profile and either put it in each user's .profile or in /etc/PATH.
I'm sure there is a better way to go. Any ideas? Thanks
Solved! Go to Solution.
- Tags:
- PATH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2010 09:12 AM
тАО02-02-2010 09:12 AM
Re: Root PATH shares writable path with users
Can you explain this?
Hope this helps!
Regards
Torsten.
__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2010 09:21 AM
тАО02-02-2010 09:21 AM
Re: Root PATH shares writable path with users
The standard root '.profile' declares :
# PATH=/usr/sbin:$PATH:/sbin:/root
...which, in part, is based on what '/etc/profile' builds using '/etc/PATH'. Since '/etc/PATH' should only be *readable* the problem of security shouldn't exist.
If you mean that '/etc/profile' is writable by any user, then yes, you have a security hole.
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2010 09:21 AM
тАО02-02-2010 09:21 AM
Re: Root PATH shares writable path with users
Clean up /etc/PATH so that it only has what is absolutely required for all users.
Set up whatever you need for root in roots .profile file.
If particular users needs something other than the normal path, set that up in their own .profile.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2010 09:30 AM
тАО02-02-2010 09:30 AM
Re: Root PATH shares writable path with users
Inside /etc/profile, we have such...
export PATH=$PATH:/misc/writablepath:/usr/local/bin
Root should not need access to the /misc/writablepath and, what I understand, should not have /usr/local/bin in its PATH either.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2010 09:47 AM
тАО02-02-2010 09:47 AM
Re: Root PATH shares writable path with users
> Root should not need access to the /misc/writablepath and, what I understand, should not have /usr/local/bin in its PATH either.
Then you need to clean-up '/etc/profile' to eliminate this world-writeable directory. Modify the *users* '.profile' as necessary to add the required directory to their PATH in *their* profile.
You are correct, '/usr/local/bin' should not be present in 'root's PATH either, but this directory should only be executable by non-root users so you the administrator control its contents.
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2010 10:03 AM
тАО02-02-2010 10:03 AM
Re: Root PATH shares writable path with users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2010 10:33 AM
тАО02-02-2010 10:33 AM
Re: Root PATH shares writable path with users
> thousand of users .profiles :(
But if "/etc/profile" is a script, and if
(some variant of) "whoami" works, then why
couldn't it do different things for different
users?
Why couldn't it do permission checks on a
directory before adding it to PATH (for some
particular user(s))?
As usual, many things are possible.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2010 12:54 PM
тАО02-02-2010 12:54 PM
Solution# - world-writable paths
# - duplicate paths
# - non-existant paths or paths that are not directories
# - paths that are symlinks
# - : at end of $PATH, :.: or :: in PATH
A world writable path is /tmp for example. NEVER have a world-writable path included in $PATH for any user. Doing so allows Trojan and other rogue scripts to be accidentally run.
NOTE: HP supplies a lot of useless paths in the default /etc/PATH. Many refer to non-existent software packages and tools. A good sysadmin puts only the paths needed by ordinary users in /etc/PATH.
Then in /etc/profile (I'm assuming no scummy csh users are on the system) the PATH value is established for root separately from ordinary users. For instance, /usr/sbin and /usr/lbin should only be in root's PATH. Similarly, specialized applications like Sybase and Oracle, etc need additional environment changes but these should not be global for every user. root probably needs slightly different database paths than a normal user.
Once /etc/PATH has been checked by scan-path, then the current $PATH variable is checked.
A very long PATH is a big security risk -- keep it short for everyone. Users can add their own paths to $PATH as needed in $HOME/.profile
And good scripts NEVER use the current value of $PATH. Always start a script with:
export PATH=/usr/bin
and then add on as required by the script.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-03-2010 01:11 AM
тАО02-03-2010 01:11 AM
Re: Root PATH shares writable path with users
If things are working correctly, if you install a product, it gets added and when you remove the product, it gets removed from /etc/PATH.