- Community Home
- >
- Servers and Operating Systems
- >
- Operating System - HP-UX
- >
- System Administration
- >
- restrict suid and sgid permissions
-
-
Categories
- Topics
- Hybrid IT with Cloud
- Mobile & IoT
- IT for Data & Analytics
- Transformation
- Strategy and Technology
- Products
- Cloud
- Integrated Systems
- Networking
- Servers and Operating Systems
- Services
- Storage
- Company
- Events
- Partner Solutions and Certifications
- Welcome
- Welcome
- Announcements
- Tips and Tricks
- Feedback
-
Blogs
- Alliances
- Around the Storage Block
- Behind the scenes @ Labs
- Converged Data Center Infrastructure
- Digital Transformation
- Grounded in the Cloud
- HPE Careers
- HPE Storage Tech Insiders
- Infrastructure Insights
- Inspiring Progress
- Internet of Things (IoT)
- My Learning Certification
- Networking
- OEM Solutions
- Servers: The Right Compute
- Telecom IQ
- Transforming IT
-
Quick Links
- Community
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Contact
- Email us
- Tell us what you think
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Enterprise.nxt
- Marketplace
- Aruba Airheads Community
-
Categories
-
Forums
-
Blogs
-
InformationEnglish
restrict suid and sgid permissions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-06-2009 05:31 AM
ā01-06-2009 05:31 AM
restrict suid and sgid permissions
restrict suid and sgid permissions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-06-2009 05:49 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-06-2009 06:07 AM
ā01-06-2009 06:07 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
If a non-root user modify a file with SUID bit, SUID bit & SGID (Set Group ID) bit is removed.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-06-2009 06:22 AM
ā01-06-2009 06:22 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-06-2009 06:31 AM
ā01-06-2009 06:31 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
s Add or delete the set-owner-ID-on-file-
execution or set-group-ID-on-file-execution
permission for who. Useful only if u or g
is expressed or implied in who.
or
4000(= u=s)Set user ID on file execution (file only)
2000(= g=s)Set group ID on file execution (file only)
1000(= u=t)Set sticky bit; see below and chmod(2)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-15-2009 05:04 AM
ā01-15-2009 05:04 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-15-2009 07:05 AM
ā01-15-2009 07:05 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
what solution (as i didn't see one of those noted either)???
SUID and SGID bits on the the permissions set the user or group id to that of the program when it is run.
It appears that you may be looking at an auditors report, and they found some suid stuff they didn't like?
if thats the case, consider sudo or powerbroker to allow users access to the required resources. if its not the case, you need to clarify what your concern / issue actually is.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-15-2009 08:26 AM
ā01-15-2009 08:26 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-15-2009 09:03 AM
ā01-15-2009 09:03 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
they are attributes of the file / executable. as such they aren't associated with a particular user. I don't know if ACLs will manage this or not.
the only way I know of it to keep the users out of groups that can actually execute the file in question and have it owned by someone other than the user you wish to exclude.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-15-2009 10:42 AM
ā01-15-2009 10:42 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
You should install sudo and allow the list of userids to run whatever command with it. The suid and sgid of the command do not get affected.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-15-2009 11:11 AM
ā01-15-2009 11:11 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
else you need to make a program with setuid root, which test getuid() and if it matches with the allowed one, then allow it
An other way:
put the command you want in a directory only accessible from a group of users, then add all the users who have the right to use it in that group.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-15-2009 12:24 PM
ā01-15-2009 12:24 PM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-15-2009 12:30 PM
ā01-15-2009 12:30 PM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
if not that, then he's pulling issues directly out of a security audit or some such...
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-15-2009 03:19 PM
ā01-15-2009 03:19 PM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
> security audit
Or studying for a test and reading sample or previous test questions?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-19-2009 02:25 AM
ā01-19-2009 02:25 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
The switch user identification (SUID) and switch group identification (SGID) permissions were still used. If an SUID program were to give users unintended write access, the system would be exposed as the SUID program could be replaced by a program with a different function and be used to gain unrestricted access to root. The use of an SGID bit creates a special program, allowing an otherwise restricted user to access certain files in a predetermined way.
Recommended Action
The above list of programs should be checked to ensure that they are legitimate programs that require the powerful SUID privilege.
You should also check that:
1) Unauthorised changes have not been made to any of these programs;
2) The programs are being executed from the intended directories;
3)The associated Owner is appropriate and is not too powerful (i.e. does not have excessive permissions) for the program's function; and
4)The program's permission list does not allow write access to users who do not require it.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-19-2009 03:40 AM
ā01-19-2009 03:40 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
if a non root user modify a program with SUID root set, the SUID is reset.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-19-2009 06:12 AM
ā01-19-2009 06:12 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-19-2009 06:49 AM
ā01-19-2009 06:49 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
HP-Server-Literate since 1979
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-19-2009 08:23 AM
ā01-19-2009 08:23 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
# chown root:myrestrictedgroup
# chmod 550
# cp /usr/sbin/id /myrestricted
# chown root:myrest /myrestricted/id
# chmod 4550 /myrestricted/id
# grep myrest /etc/group
myrest::200:laurent
# su - laurent
$ /myrestricted/id
uid=250(laurent) gid=20(users) euid=0(root) groups=200(test)
# su - toto
$ /test/id
sh: /test/id: not found.
$ ls /test
/test unreadable
$
Does this answer to your question?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-20-2009 05:04 AM
ā01-20-2009 05:04 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-20-2009 05:05 AM
ā01-20-2009 05:05 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-20-2009 05:06 AM
ā01-20-2009 05:06 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
The following Audit Issues Identified by the Auditor General has still not been resolved:-
The switch user identification (SUID) and switch group identification (SGID) permissions were still used. If an SUID program were to give users unintended write access, the system would be exposed as the SUID program could be replaced by a program with a different function and be used to gain unrestricted access to root. The use of an SGID bit creates a special program, allowing an otherwise restricted user to access certain files in a predetermined way. (Refer to paragraphs 22 and 23 of the SekChek report.)
22 SUID Permissions.doc - Paragraph 22 of the SekCheck report resides within this document.
23 SGID Permissions.doc - Paragraph 23 of the SekCheck report resides within this document.
Urgent Request:-
Please can you load an emergency change to ensure that the system is in compliance by ensuring that:-
1) Review the list of programs with SGID and SUID Access.
2) Verify if access is applicable.
3) Restrict SGID and SUID Access from programs that do not require this access.
Please come up with best solution for the above and you can find 2 attachments
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-20-2009 05:31 AM
ā01-20-2009 05:31 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
If you cant to modify the rights of all those files, then you need to contact the various support:
HP support for /var/adm
/var/adm/sw/save.. are there to backup
previous patch state. So there is a solution which is to remove it doing a cleanup(1M)
side effect being to not be able to uninstall any patch there after.
about sw and vg, lvm commands you need to contact HP support if you want to remove SUID bit.
if you want to remove it from ping and traceroute and arp, then only root user will be able to use them.
The alternative to such thing is to use fine grain priviledge and RBAC.
about the fact to have write access on a SUID root file for others than root.
If this other modify that file the program will lose the SUID bit.
If you need an official statement of HP about that you will need to contact HP support.
For informinx files then you need to contact informix support.
but again even if a non root user write to it to modify it, the program will loose the SUID bit.
For AMMCATATLG it is not executable
- see the S and not s- so there is no problem.
only 1 file as other write access
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-20-2009 05:43 AM
ā01-20-2009 05:43 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
"If an SUID program gives unintended write access to users, your system is very exposed.
This is because someone could replace the SUID program with a program that has a different function to the original and use it to gain access to root at any time'.
Really I don't see how, because if that none root user modify that file it doesn't own, the file will loose the SUID bit, so it won't be of any use to gain any privilege.
example:
# cat yy
echo zzz>>xx
# chown bin yy
# chmod 6555 yy
# echo yes >xx
# chown bin xx
# chmod 6777 xx
# su lp
$ ls -l
-rwsrwsrwx 1 bin sys 12 Jan 20 14:28 xx
-r-sr-sr-x 1 bin sys 14 Jan 20 14:18 yy
$ ./yy
$ ls -l
-rwxrwxrwx 1 bin sys 12 Jan 20 14:29 xx
-r-sr-sr-x 1 bin sys 14 Jan 20 14:18 yy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
ā01-20-2009 05:54 AM
ā01-20-2009 05:54 AM
Re: restrict suid and sgid permissions
Re: restrict suid and sgid permissions
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2018 Hewlett Packard Enterprise Development LP