HPE Community
Operating System - HP-UX
1752806 Members
6652 Online
108789 Solutions
New Discussion юеВ

restrict suid and sgid permissions

 
unixadmin_1
Frequent Advisor

тАО01-06-2009 05:31 AM

тАО01-06-2009 05:31 AM

restrict suid and sgid permissions

The switch user identification (SUID) and switch group identification (SGID) permissions were still used. If an SUID program were to give users unintended write access, the system would be exposed as the SUID program could be replaced by a program with a different function and be used to gain unrestricted access to root. The use of an SGID bit creates a special program, allowing an otherwise restricted user to access certain files in a predetermined way.
0 Kudos
Reply
25 REPLIES 25
yulianto piyut
Valued Contributor

тАО01-06-2009 05:49 AM

тАО01-06-2009 05:49 AM

Re: restrict suid and sgid permissions

check this site www.cisecurity.org
0 Kudos
Reply
Laurent Menase
Honored Contributor

тАО01-06-2009 06:07 AM

тАО01-06-2009 06:07 AM

Re: restrict suid and sgid permissions

is it a question about the Set User ID bit? ( not Switch but Set)

If a non-root user modify a file with SUID bit, SUID bit & SGID (Set Group ID) bit is removed.

0 Kudos
Reply
unixadmin_1
Frequent Advisor

тАО01-06-2009 06:22 AM

тАО01-06-2009 06:22 AM

Re: restrict suid and sgid permissions

No its not the set switch userid and switch groupid
0 Kudos
Reply
Laurent Menase
Honored Contributor

тАО01-06-2009 06:31 AM

тАО01-06-2009 06:31 AM

Re: restrict suid and sgid permissions

man chmod:
s Add or delete the set-owner-ID-on-file-
execution or set-group-ID-on-file-execution
permission for who. Useful only if u or g
is expressed or implied in who.

or

4000(= u=s)Set user ID on file execution (file only)
2000(= g=s)Set group ID on file execution (file only)
1000(= u=t)Set sticky bit; see below and chmod(2)
0 Kudos
Reply
unixadmin_1
Frequent Advisor

тАО01-15-2009 05:04 AM

тАО01-15-2009 05:04 AM

Re: restrict suid and sgid permissions

Can any explain better solution for this so that i can report the issue to senior admin
0 Kudos
Reply
OldSchool
Honored Contributor

тАО01-15-2009 07:05 AM

тАО01-15-2009 07:05 AM

Re: restrict suid and sgid permissions

what issue (i didn't see one listed)???

what solution (as i didn't see one of those noted either)???

SUID and SGID bits on the the permissions set the user or group id to that of the program when it is run.

It appears that you may be looking at an auditors report, and they found some suid stuff they didn't like?

if thats the case, consider sudo or powerbroker to allow users access to the required resources. if its not the case, you need to clarify what your concern / issue actually is.
0 Kudos
Reply
unixadmin_1
Frequent Advisor

тАО01-15-2009 08:26 AM

тАО01-15-2009 08:26 AM

Re: restrict suid and sgid permissions

If i got a list how to restrict SUID and SGID for a particular userids
0 Kudos
Reply
OldSchool
Honored Contributor

тАО01-15-2009 09:03 AM

тАО01-15-2009 09:03 AM

Re: restrict suid and sgid permissions

"If i got a list how to restrict SUID and SGID for a particular userids"

they are attributes of the file / executable. as such they aren't associated with a particular user. I don't know if ACLs will manage this or not.

the only way I know of it to keep the users out of groups that can actually execute the file in question and have it owned by someone other than the user you wish to exclude.
0 Kudos
Reply
TTr
Honored Contributor

тАО01-15-2009 10:42 AM

тАО01-15-2009 10:42 AM

Re: restrict suid and sgid permissions

> If i got a list how to restrict SUID and SGID for a particular userids

You should install sudo and allow the list of userids to run whatever command with it. The suid and sgid of the command do not get affected.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.