The switch user identification (SUID) and switch group identification (SGID) permissions were still used. If an SUID program were to give users unintended write access, the system would be exposed as the SUID program could be replaced by a program with a different function and be used to gain unrestricted access to root. The use of an SGID bit creates a special program, allowing an otherwise restricted user to access certain files in a predetermined way.
man chmod: s Add or delete the set-owner-ID-on-file- execution or set-group-ID-on-file-execution permission for who. Useful only if u or g is expressed or implied in who.
or
4000(= u=s)Set user ID on file execution (file only) 2000(= g=s)Set group ID on file execution (file only) 1000(= u=t)Set sticky bit; see below and chmod(2)
what solution (as i didn't see one of those noted either)???
SUID and SGID bits on the the permissions set the user or group id to that of the program when it is run.
It appears that you may be looking at an auditors report, and they found some suid stuff they didn't like?
if thats the case, consider sudo or powerbroker to allow users access to the required resources. if its not the case, you need to clarify what your concern / issue actually is.
"If i got a list how to restrict SUID and SGID for a particular userids"
they are attributes of the file / executable. as such they aren't associated with a particular user. I don't know if ACLs will manage this or not.
the only way I know of it to keep the users out of groups that can actually execute the file in question and have it owned by someone other than the user you wish to exclude.
else you need to make a program with setuid root, which test getuid() and if it matches with the allowed one, then allow it
An other way: put the command you want in a directory only accessible from a group of users, then add all the users who have the right to use it in that group.
Company audit is going on but what exactly doe s the beloww sentence states...Its a urgent issue .please specify with solution and how to proceed...or else any thing related to sam
The switch user identification (SUID) and switch group identification (SGID) permissions were still used. If an SUID program were to give users unintended write access, the system would be exposed as the SUID program could be replaced by a program with a different function and be used to gain unrestricted access to root. The use of an SGID bit creates a special program, allowing an otherwise restricted user to access certain files in a predetermined way.
Recommended Action The above list of programs should be checked to ensure that they are legitimate programs that require the powerful SUID privilege.
You should also check that:
1) Unauthorised changes have not been made to any of these programs;
2) The programs are being executed from the intended directories;
3)The associated Owner is appropriate and is not too powerful (i.e. does not have excessive permissions) for the program's function; and
4)The program's permission list does not allow write access to users who do not require it.
Thanks a lot ..to me i just understood the concept but how to restrict this to few specific users...please send me the clear answer for this ..its a urgent issue...Thank you
Only root can create SUID/SGID scripts owned and executable by root. So any "restrictions" on this capability would match the "restrictions" you place on access to a "#" root prompt.
Deviation:- The following Audit Issues Identified by the Auditor General has still not been resolved:-
The switch user identification (SUID) and switch group identification (SGID) permissions were still used. If an SUID program were to give users unintended write access, the system would be exposed as the SUID program could be replaced by a program with a different function and be used to gain unrestricted access to root. The use of an SGID bit creates a special program, allowing an otherwise restricted user to access certain files in a predetermined way. (Refer to paragraphs 22 and 23 of the SekChek report.)
22 SUID Permissions.doc - Paragraph 22 of the SekCheck report resides within this document. 23 SGID Permissions.doc - Paragraph 23 of the SekCheck report resides within this document.
Urgent Request:- Please can you load an emergency change to ensure that the system is in compliance by ensuring that:-
1) Review the list of programs with SGID and SUID Access. 2) Verify if access is applicable. 3) Restrict SGID and SUID Access from programs that do not require this access.
Please come up with best solution for the above and you can find 2 attachments
If you cant to modify the rights of all those files, then you need to contact the various support: HP support for /var/adm /var/adm/sw/save.. are there to backup previous patch state. So there is a solution which is to remove it doing a cleanup(1M) side effect being to not be able to uninstall any patch there after. about sw and vg, lvm commands you need to contact HP support if you want to remove SUID bit.
if you want to remove it from ping and traceroute and arp, then only root user will be able to use them.
The alternative to such thing is to use fine grain priviledge and RBAC.
about the fact to have write access on a SUID root file for others than root. If this other modify that file the program will lose the SUID bit. If you need an official statement of HP about that you will need to contact HP support.
For informinx files then you need to contact informix support. but again even if a non root user write to it to modify it, the program will loose the SUID bit.
For AMMCATATLG it is not executable - see the S and not s- so there is no problem.
About what is said in the document: "If an SUID program gives unintended write access to users, your system is very exposed. This is because someone could replace the SUID program with a program that has a different function to the original and use it to gain access to root at any time'.
Really I don't see how, because if that none root user modify that file it doesn't own, the file will loose the SUID bit, so it won't be of any use to gain any privilege.
example: # cat yy echo zzz>>xx # chown bin yy # chmod 6555 yy # echo yes >xx # chown bin xx # chmod 6777 xx # su lp $ ls -l -rwsrwsrwx 1 bin sys 12 Jan 20 14:28 xx -r-sr-sr-x 1 bin sys 14 Jan 20 14:18 yy $ ./yy $ ls -l -rwxrwxrwx 1 bin sys 12 Jan 20 14:29 xx -r-sr-sr-x 1 bin sys 14 Jan 20 14:18 yy
Thank you very much for the response...May be your answer might be correct...as i am new to unix environment can you please explain how to sort out with each and every step...example i got access to informix and how should i proceed..i am totally new... from which directory i should start...rafsap> is root directory...so from there how do we execute the code mentioned...Please let me know
