HPE Community
Operating System - HP-UX
1839919 Members
2536 Online
110157 Solutions
New Discussion

Re: disabling chfn

 
Jeff Pendleton
Occasional Contributor

‎06-05-2000 11:25 AM

‎06-05-2000 11:25 AM

disabling chfn

Sorry if this is a no-brainer, but ... How does one disable "chfn" under HP-UX? We'd like to prevent people from changing the information in the gecos field of their password file entry. Just removing /usr/bin/chfn is no help, since all someone needs to do is to
ln -s /usr/bin/passwd /some/dir/chfn

and bingo, they have a working "chfn" command again. The manpage says

Security Restrictions
You must have the owner kernel authorization
and the syslo sensitivity label to run chfn.

But where, exactly, are those terms defined and discussed? It seems that by default, any random user has appropriate privilege to run "chfn". How does one change this? (Just a pointer to an appropriate place to RTFM is sufficient.)

an expert is a person who has made all the mistakes which can be made, in a narrow field.í¹‚í°­- Niels Bohr (1885-1962)
0 Kudos
Reply
2 REPLIES 2
Anthony Goonetilleke
Esteemed Contributor

‎06-05-2000 05:14 PM

‎06-05-2000 05:14 PM

Re: disabling chfn

One thing I have done in the past was to change permission on chfn so that only root can use it, rename passwd to syspasswd.
Create a simple program called passwd that is accessible by everyone that encompasses syspasswd but doesnt allow any other parameters to be passed to it.
Basically using this type of method you can come up with a site specific solution.

If you need more details let me know.
Minimum effort maximum output!
0 Kudos
Reply
Chetan Javagal
New Member

‎12-25-2006 10:28 AM

‎12-25-2006 10:28 AM

Re: disabling chfn

==>
"Security Restrictions
You must have the owner kernel authorization
and the syslo sensitivity label to run chfn.

But where, exactly, are those terms defined and discussed? It seems that by default, any random user has appropriate privilege to run "chfn". How does one change this? (Just a pointer to an appropriate place to RTFM is sufficient.)"
<==
I had the same question as you did. After some researching on the web I found that the terms '"owner" kernel authorization' and '"syslo" sensitivity label' come from HP's VirtualVault Operating System terminology.
See priv(1) man page for the kernel authorizations in the VirtualVault reference PDF doc below:
http://www.docs.hp.com/en/B5413-90057/B5413-90057.pdf

"A sensitivity label represents the sensitivity of a process or a filesystem object and the data each contains."
taken from one of HP's patents on Trusted Gateway Agent for web server programs:
http://www.freepatentsonline.com/5903732.html

SYSLO is one of the predefined sensitivity labels defined by VirtualVault, as in VirtualVault Integrators guide.
http://www.docs.hp.com/en/B5413-90031/B5413-90031.pdf

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.