HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
cancel
Showing results for 
Search instead for 
Did you mean: 

non-compliant

 
gogleboy
Occasional Advisor

non-compliant

The files listed below are referenced in a startup file. These files are group writable AND owned by a non-privileged group. This is a security problem because anyone with group access can modify the files. Files referenced in startup files are executed (or read) by the root account on system startup. Anyone with group access can replace these files and have them executed (or read) by root the next time the system boots. So how can I fix and make from non-compliant to compliant

File name:
/sbin/init.d/autosys: -rwxrwxr-x: autosys

Thanks
Nanda
6 REPLIES
James R. Ferguson
Acclaimed Contributor

Re: non-compliant

Hi:

Use Google.

...JRF...

Re: non-compliant

well one would have thought that

chmod 755 /sbin/init.d/autosys

would fix it

but if you don't understand what the command above means, you shouldn't be even a junior admin of a UNIX box...

HTH

Duncan

HTH

Duncan
TTr
Honored Contributor

Re: non-compliant

> These files are group writable AND owned by a non-privileged group. This is a security problem...

So isn't the fix obvious?

Re: non-compliant

>/sbin/init.d/autosys: -rwxrwxr-x: autosys

Who is the owner and group of the file?
What fileset contains this file? Is it delivered by HP? What OS version do you have?
swlist -l file | grep /autosys

You may want to use "swverify \*" to see if already broken?

>Duncan: chmod 755 /sbin/init.d/autosys

I would go even further:
chmod a-w /sbin/init.d/autosys

Olivier Masse
Honored Contributor

Re: non-compliant

While I don't see why a startup script should be group-writable, there might be an obscure reason for this. For example, maybe an admin wanted to be able to edit parameters in the script without becoming root. That's indeed a security risk but if you're unsure, you better not mess with it without reviewing what the script does first.

This might be something related to CA's autosys which is an enterprise job scheduler, so chances are you have a support contract with CA. I suggest you check with them to have an official answer.

Good luck

Re: non-compliant

>Olivier: maybe an admin wanted to be able to edit parameters in the script without becoming root.

I would hope that rc script parms would be in /etc/rc.config.d/ and changed with ch_rc(1M).