HPE Community
Operating System - HP-UX
1834351 Members
2046 Online
110066 Solutions
New Discussion

Default groups

 
Gamaliel
Frequent Advisor

‎03-24-2008 10:37 AM

‎03-24-2008 10:37 AM

Default groups

Hi All there,

I'm having some observations from my auditors concerning groups with no users.

I think groups "nogroup" and "tty" are set by default in HP-UX Systems, as they don't have any users, can this groups be deleted? In case of yes, is that painless?

Thanks,
0 Kudos
6 REPLIES 6
Paul Sperry
Honored Contributor

‎03-24-2008 12:07 PM

‎03-24-2008 12:07 PM

Re: Default groups

I know that Apache users the nobody group.
So if you are running Apache I wouldn't get rid of the nobody group.
0 Kudos
Tim Nelson
Honored Contributor

‎03-24-2008 12:11 PM

‎03-24-2008 12:11 PM

Re: Default groups

Do not remove these default GIDs. They are neccessary for the system or subsystems to work.

tty for example is the group that all tty's are assigned to.

nogroup is typically used by software applications that assign GIDs to files in order to preserve security. nogroup GID is -2, this is invalid and hence is secure, more secure than using sys, bin, other....

How can having no members be a security issue ? Like a house with no doors it is more secure than one with doors.


0 Kudos
TwoProc
Honored Contributor

‎03-24-2008 12:15 PM

‎03-24-2008 12:15 PM

Re: Default groups

Actually,

If you go out and read up on it. Your auditors are dead wrong.

The risk in getting rid of old accounts and old groups is that if there are files out there that are used by those groups on any servers, and later on, if you decide to use the now available group number for a new group - the new group (and thus group members) will have access to files that they shouldn't have.

The same is true for users. Lock those account's don't delete them.

What your auditor needs to keep in mind is that groups aren't just for users - they are also for files. What if you restore an old file from tape? It will come back with the same group id's it used to have - if group number(s) have been re-used, then a real risk is present that people will have access to things they shouldn't have. Present the scenario to your auditor, and ask them how they would feel if the file(s) restored were a) credit card files, b) financial files, c) or medically related (HIPAA) files.

IMHO, you are doing the right thing by leaving the groups in there. Groups with no members are not an access point by any means, but changing group numbers certainly can be.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Gamaliel
Frequent Advisor

‎03-24-2008 12:55 PM

‎03-24-2008 12:55 PM

Re: Default groups

You know, I couldn't find information about these 2 groups... any hint?
0 Kudos
Dennis Handly
Acclaimed Contributor

‎03-24-2008 09:28 PM

‎03-24-2008 09:28 PM

Re: Default groups

>I couldn't find information about these 2 groups.

Tim told you. tty is for /dev/tty*.
nogroup is for the scum of the earth root when over NFS and not exported with root=.
0 Kudos
Gamaliel
Frequent Advisor

‎04-10-2008 02:05 PM

‎04-10-2008 02:05 PM

Re: Default groups

Thak you all folks!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.