HPE Community
Operating System - HP-UX
1752806 Members
6061 Online
108789 Solutions
New Discussion

Re: SUID and SGUID

 
Jilan
Occasional Advisor

‎06-13-2013 12:31 AM

‎06-13-2013 12:31 AM

SUID and SGUID

Dear Gurus,

 

Currently I am  implementing security controls on Unix servers, from ISO 27001 Aduit report once of control says  unauthorized set-UID or set-GID applications do not exist on the system.

 

using the script I mange to list all the files which has SUID and SGID permissions.  I am not sure what will the effect or impact on the system if I remove those permissions? could you please advice from the below files or or reffer to attached files and advice which files will be safe to remove suid or sgid permissions. 

 

 

-r-s------ root sys /opt/omni/lbin/inet

-r-sr-xr-x root bin /opt/perf/bin/glance

-r-sr-xr-x root bin /opt/perf/bin/xglance

-r-sr-xr-x root bin /opt/prm/bin/prmmove

-r-sr-xr-x root bin /opt/prm/bin/prmrun

-rwsr-xr-x root bin /opt/ssh/libexec/ssh-keysign

-r-sr-xr-x root bin /usr/bin/at

-r-sr-xr-x root bin /usr/bin/bdf

-r-sr-xr-x root bin /usr/bin/chfn

-r-sr-xr-x root bin /usr/bin/chsh

-r-sr-xr-x root bin /usr/bin/crontab

-r-sr-xr-x root bin /usr/bin/df

-r-sr-xr-x root bin /usr/bin/login

-r-sr-sr-x root mail /usr/bin/mail

-r-sr-xr-x root bin /usr/bin/mediainit

-r-xr-sr-x bin sys /usr/bin/netstat

-r-sr-xr-x root bin /usr/bin/newgrp

-r-sr-xr-x root bin /usr/bin/nfsstat

-r-sr-xr-x root bin /usr/bin/passwd

-r-sr-xr-x root sys /usr/bin/privrun

-r-sr-xr-x root bin /usr/bin/rcp

-r-sr-xr-x root bin /usr/bin/remsh

-r-sr-sr-x root mail /usr/bin/rmail

-r-sr-xr-x root bin /usr/bin/su

-r-sr-xr-x root bin /usr/bin/yppasswd

-r-sr-sr-x root bin /usr/lbin/chgpt

-r-xr-sr-x bin sys /usr/lbin/fs/hfs/diskusg

-r-xr-sr-x bin sys /usr/lbin/fs/vxfs/diskusg

-r-xr-sr-x bin sys /usr/lbin/fs/vxfs5.0/diskusg

-r-sr-xr-x daemon bin /usr/lbin/grmd

-r-sr-xr-- root lp /usr/lbin/netlp.asx

-r-sr-xr-x root bin /usr/lbin/protect_pty

-r-xr-sr-x bin mail /usr/lbin/rmmail

-r-sr-xr-x root bin /usr/lbin/rwrite

-r-sr-xr-x uucp bin /usr/lbin/uucp/uucico

-r-sr-xr-x uucp bin /usr/lbin/uucp/uuclean

-r-sr-xr-x uucp bin /usr/lbin/uucp/uusched

-r-sr-xr-x uucp bin /usr/lbin/uucp/uusub

-r-sr-xr-x uucp bin /usr/lbin/uucp/uuxqt

-r-sr-xr-x lp bin /usr/sbin/accept

-r-sr-xr-x root bin /usr/sbin/acct/accton

-r-sr-xr-x root bin /usr/sbin/arp

-r-sr-xr-x root sys /usr/sbin/authadm

-r-sr-xr-x root sys /usr/sbin/cmdprivadm

-rwsr-sr-x root sys /usr/sbin/dad

-r-sr-xr-x root bin /usr/sbin/keyenvoy

-r-xr-sr-x root sys /usr/sbin/lanscan

-r-sr-xr-x root bin /usr/sbin/lpadmin

-r-sr-xr-x lp bin /usr/sbin/lpfence

-r-sr-xr-x lp bin /usr/sbin/lpmove

-r-sr-xr-x root bin /usr/sbin/lpsched

-r-sr-xr-x lp bin /usr/sbin/lpshut

-r-sr-xr-x root sys /usr/sbin/lvm_wrapper

-r-sr-xr-x root sys /usr/sbin/lvmcmd

-r-sr-xr-x root sys /usr/sbin/lvmpcmd

.......

......

......

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_38682/LP2-SPOOL/usr/sbin/rlpdaemon

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_38682/LP2-SPOOL/usr/sbin/rlpstat

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_39365/UX2-CORE/usr/bin/login

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_39367/UX2-CORE/usr/bin/passwd

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_39418/SYS2-ADMIN/usr/bin/mediainit

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_39690/UX2-CORE/sbin/shutdown

 ........

 

 

Regards

Jilan

0 Kudos
Reply
3 REPLIES 3
Dennis Handly
Acclaimed Contributor

‎06-13-2013 04:49 AM

‎06-13-2013 04:49 AM

Re: SUID and SGUID

>advice which files will be safe to remove suid or sgid permissions.

 

Just about none of them are safe to remove, these are needed for proper system operation and so are authorized.

And these programs will no longer work for normal users if SUID root is removed.

 

If you need to prove they belong to HP-UX can do the following:

1) Put the list of files in a file, one per line

2) swlist -l file | grep -f the-file-list

 

Any file  not showing up would be suspicious.

You could also do a "swverify \*" to make sure all files have the correct permission and checksum.

0 Kudos
Reply
Jilan
Occasional Advisor

‎06-16-2013 03:11 AM

‎06-16-2013 03:11 AM

Re: SUID and SGUID

Dennis, Thanks for the informatio. I just tried your suggestion and found good information.

 

i copied files one after another generated by the script and in one file and names as suid.txt and executed #swlist -l file | grep -f suid.txt it doesnot show anything ended up # prompt

 

later on i tried to execute swverify /* and ran the swjob and found permision issue for some folders....

 

just curious know what would be impact If i remove the suid permission to /var/adm/sw/save/PHXX_XXXX files? as I know the patches has been applied already to the server?

 

 

 

Regards

Jilan

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎06-17-2013 04:44 AM

‎06-17-2013 04:44 AM

Re: SUID and SGUID

>it does not show anything ended up # prompt

 

Make sure there are no leading trailing blanks/tabs in suid.txt.  bin/bdf should be there.

 

>swlist -l file | ...

 

If you are going to do this several times, you should save the swlist output in a file.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.