HPE Community
Operating System - HP-UX
1752369 Members
5880 Online
108787 Solutions
New Discussion юеВ

Re: restrict suid and sgid permissions

 
unixadmin_1
Frequent Advisor

тАО01-20-2009 05:05 AM

тАО01-20-2009 05:05 AM

Re: restrict suid and sgid permissions

Hi Laurent please check the other attachment
0 Kudos
Reply
unixadmin_1
Frequent Advisor

тАО01-20-2009 05:06 AM

тАО01-20-2009 05:06 AM

Re: restrict suid and sgid permissions

Deviation:-
The following Audit Issues Identified by the Auditor General has still not been resolved:-

The switch user identification (SUID) and switch group identification (SGID) permissions were still used. If an SUID program were to give users unintended write access, the system would be exposed as the SUID program could be replaced by a program with a different function and be used to gain unrestricted access to root. The use of an SGID bit creates a special program, allowing an otherwise restricted user to access certain files in a predetermined way. (Refer to paragraphs 22 and 23 of the SekChek report.)

22 SUID Permissions.doc - Paragraph 22 of the SekCheck report resides within this document.
23 SGID Permissions.doc - Paragraph 23 of the SekCheck report resides within this document.

Urgent Request:-
Please can you load an emergency change to ensure that the system is in compliance by ensuring that:-

1) Review the list of programs with SGID and SUID Access.
2) Verify if access is applicable.
3) Restrict SGID and SUID Access from programs that do not require this access.

Please come up with best solution for the above and you can find 2 attachments
0 Kudos
Reply
Laurent Menase
Honored Contributor

тАО01-20-2009 05:31 AM

тАО01-20-2009 05:31 AM

Re: restrict suid and sgid permissions

about 22:

If you cant to modify the rights of all those files, then you need to contact the various support:
HP support for /var/adm
/var/adm/sw/save.. are there to backup
previous patch state. So there is a solution which is to remove it doing a cleanup(1M)
side effect being to not be able to uninstall any patch there after.
about sw and vg, lvm commands you need to contact HP support if you want to remove SUID bit.

if you want to remove it from ping and traceroute and arp, then only root user will be able to use them.

The alternative to such thing is to use fine grain priviledge and RBAC.

about the fact to have write access on a SUID root file for others than root.
If this other modify that file the program will lose the SUID bit.
If you need an official statement of HP about that you will need to contact HP support.

For informinx files then you need to contact informix support.
but again even if a non root user write to it to modify it, the program will loose the SUID bit.


For AMMCATATLG it is not executable
- see the S and not s- so there is no problem.

only 1 file as other write access

0 Kudos
Reply
Laurent Menase
Honored Contributor

тАО01-20-2009 05:43 AM

тАО01-20-2009 05:43 AM

Re: restrict suid and sgid permissions

About what is said in the document:
"If an SUID program gives unintended write access to users, your system is very exposed.
This is because someone could replace the SUID program with a program that has a different function to the original and use it to gain access to root at any time'.

Really I don't see how, because if that none root user modify that file it doesn't own, the file will loose the SUID bit, so it won't be of any use to gain any privilege.

example:
# cat yy
echo zzz>>xx
# chown bin yy
# chmod 6555 yy
# echo yes >xx
# chown bin xx
# chmod 6777 xx
# su lp
$ ls -l
-rwsrwsrwx 1 bin sys 12 Jan 20 14:28 xx
-r-sr-sr-x 1 bin sys 14 Jan 20 14:18 yy
$ ./yy
$ ls -l
-rwxrwxrwx 1 bin sys 12 Jan 20 14:29 xx
-r-sr-sr-x 1 bin sys 14 Jan 20 14:18 yy

0 Kudos
Reply
unixadmin_1
Frequent Advisor

тАО01-20-2009 05:54 AM

тАО01-20-2009 05:54 AM

Re: restrict suid and sgid permissions

Thank you very much for the response...May be your answer might be correct...as i am new to unix environment can you please explain how to sort out with each and every step...example i got access to informix and how should i proceed..i am totally new... from which directory i should start...rafsap> is root directory...so from there how do we execute the code mentioned...Please let me know
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО01-20-2009 02:29 PM

тАО01-20-2009 02:29 PM

Re: restrict suid and sgid permissions

>Laurent: if a non root user modify a program with SUID root set, the SUID is reset.

Hmm, what you say is true but where is it documented? This almost seems like a near useless feature since root shouldn't make the executables writable. But I guess it protects the uninformed. I.e.
>4) The program's permission list does not allow write access to users who do not require it.

There should be NOBODY that can write to these SUID root executables. (And root can just bypass the missing u+w.)

>Laurent: If you want to modify the rights of all those files, then you need to contact the various support:
HP support for /var/adm

I think just saying these files come from HP should be good enough for the auditors.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.