cancel
Showing results for 
Search instead for 
Did you mean: 

/etc file owner/group

Linda Card
Frequent Advisor

/etc file owner/group

We have a lot of .mrg, .proto, .new and sysconfigtab files with owner:group as bin:bin. One of our security inspectors is asking if those owner:group can be changed to root:system. I understand the .mrg, .proto etc are used during upgrades/patches. Will changing the owner:group to root:system mess things up?
3 REPLIES
Ivan Ferreira
Honored Contributor

Re: /etc file owner/group

This is a question for Ann, but I really want to know, why the security inspectors want to change the owner, they should be concerned about permissions. AFAIK, no service run as bin, but a lot runs as root, so, how this would benefit the security?.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ann Majeske
Honored Contributor

Re: /etc file owner/group

In general, bin:bin is the standard owner:group for system files that don't have to be owned by root:system, so I don't understand why your security inspectors would want to change them. These are system files owned by one of the standard owners for system files. And as Ivan pointed out, the security inspectors really should be more concerned with the permissions on the files than the difference in owner (bin:bin vs root:system) in this case.

In most cases I doubt it would make a difference if the .mrg, .proto, and .new files were owned by bin:bin or root:system, but I don't know for sure, so I'm not going to tell you its OK to change them.

Ann
Don Ritchey
Frequent Advisor

Re: /etc file owner/group

One thing to watch out for in changing file permissions/ownership is that the patching and installation scripts check the file permissions, ownerships, sizes and sum(1) values of files against the stored values from the inventory files (*.inv files in the /usr/.smdb. directory). We have had problems with certain patches not installing correctly or at all if the values did not match the expected values from the .inv files.

Best advice: tell the security inspectors that the system was installed with the permissions they see and it may make it difficult, if not impossible, to maintain the system with patches in the future if those ownership and group settings are changed. There are normally no users able to login with 'bin' user ID nor with 'bin' group ID. They would be better off spending time looking for users with unnecessary group access or for hidden set-UID or set-GID programs used to breach security.

As always, you milage may vary. Check to see if your security auditors really have a clue or if they are blindly following someone else's advice.