Re: restrict suid and sgid permissions

Laurent Menase · ‎01-15-2009

there is RBAC on 11.31

else you need to make a program with setuid root, which test getuid() and if it matches with the allowed one, then allow it

An other way:
put the command you want in a directory only accessible from a group of users, then add all the users who have the right to use it in that group.

Patrick Scherrer · ‎01-15-2009

Are you on some sort of e-mail based job interview? You keep coming up with questions that seem obviously cut and pasted from a test or something.

OldSchool · ‎01-15-2009

" e-mail based job interview.."

if not that, then he's pulling issues directly out of a security audit or some such...

TTr · ‎01-15-2009

> e-mail based job interview?
> security audit

Or studying for a test and reading sample or previous test questions?

unixadmin_1 · ‎01-19-2009

Company audit is going on but what exactly doe s the beloww sentence states...Its a urgent issue .please specify with solution and how to proceed...or else any thing related to sam

The switch user identification (SUID) and switch group identification (SGID) permissions were still used. If an SUID program were to give users unintended write access, the system would be exposed as the SUID program could be replaced by a program with a different function and be used to gain unrestricted access to root. The use of an SGID bit creates a special program, allowing an otherwise restricted user to access certain files in a predetermined way.

Recommended Action
The above list of programs should be checked to ensure that they are legitimate programs that require the powerful SUID privilege.

You should also check that:

1) Unauthorised changes have not been made to any of these programs;

2) The programs are being executed from the intended directories;

3)The associated Owner is appropriate and is not too powerful (i.e. does not have excessive permissions) for the program's function; and

4)The program's permission list does not allow write access to users who do not require it.

Laurent Menase · ‎01-19-2009

once again,
if a non root user modify a program with SUID root set, the SUID is reset.

unixadmin_1 · ‎01-19-2009

Thanks a lot ..to me i just understood the concept but how to restrict this to few specific users...please send me the clear answer for this ..its a urgent issue...Thank you

Michael Mike Reaser · ‎01-19-2009

Only root can create SUID/SGID scripts owned and executable by root. So any "restrictions" on this capability would match the "restrictions" you place on access to a "#" root prompt.

There's no place like 127.0.0.1

HP-Server-Literate since 1979

Laurent Menase · ‎01-19-2009

# mkdir /myrestricted
# chown root:myrestrictedgroup
# chmod 550
# cp /usr/sbin/id /myrestricted
# chown root:myrest /myrestricted/id
# chmod 4550 /myrestricted/id

# grep myrest /etc/group
myrest::200:laurent

# su - laurent
$ /myrestricted/id
uid=250(laurent) gid=20(users) euid=0(root) groups=200(test)

# su - toto
$ /test/id
sh: /test/id: not found.
$ ls /test
/test unreadable
$

Does this answer to your question?

unixadmin_1 · ‎01-20-2009

Hi Laurent please check the attachment

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: restrict suid and sgid permissions