HPE Community
Operating System - HP-UX
1835266 Members
2212 Online
110078 Solutions
New Discussion

Re: File/Directory Permissions

 
SOLVED
Go to solution
jerry1
Super Advisor

‎03-08-2004 03:18 AM

‎03-08-2004 03:18 AM

File/Directory Permissions

There are a number of system files and directories that have permissions 666 and 777
set.
Does anyone know why any system files and directories would have to have wide open
permission? Excluding /tmp and /var/tmp of course.
And why does /tmp and /var/tmp not have the
sticky bit set like it is on Solaris?



0 Kudos
Reply
6 REPLIES 6
Hazem Mahmoud_3
Respected Contributor

‎03-08-2004 03:27 AM

‎03-08-2004 03:27 AM

Solution

Re: File/Directory Permissions

Can you give some examples?
Generally speaking, certain system files/directories need access by all users in order to perform properly.
However, a generic HP-UX install does not come in a secure, locked-down state. It will require a lot of manipulation to properly harden it. (check out the famous article about "Building a Bastion Host on HP-UX")
Again, if you have examples, that would help.

-Hazem
Reply
Chris Wilshaw
Honored Contributor

‎03-08-2004 03:30 AM

‎03-08-2004 03:30 AM

Re: File/Directory Permissions

It's a throwback to the bad old days.

HP provide a product called "Bastille" that can help to tidy this up a great deal.

Typically, it's things such as /usr/local/bin, which is often included in the path, but has full permissions that are the problem.
Reply
Charlie Rubeor
Frequent Advisor

‎03-08-2004 05:32 AM

‎03-08-2004 05:32 AM

Re: File/Directory Permissions

Solaris, along with other nix, sets the sticky bit on /tmp and /var/tmp to prevent user from accidently deleting or overwriting other users files.

I also have a vague memory of the sticky bit keeping a program in memory, in order to make it load faster. I believe that vi is like this.
0 Kudos
Reply
jerry1
Super Advisor

‎03-08-2004 06:26 AM

‎03-08-2004 06:26 AM

Re: File/Directory Permissions

I have been checking out Bastille and
find that it requires a specail version
of perl. We have perl.5.6.1, but that does
not seem to be good enough.
Does anyone know where the HP version installs? I cannot afford to overwrite the
current version and break production.

I know what the sticky bit does. I just wanted to know why HP does not set it for
/tmp /var/tmp.

0 Kudos
Reply
Hazem Mahmoud_3
Respected Contributor

‎03-08-2004 06:42 AM

‎03-08-2004 06:42 AM

Re: File/Directory Permissions

If you're talking about location of the perl executor, it is usually under /opt/perl/bin or /opt/perl/bin.
I believe that's what you were asking.

-Hazem
0 Kudos
Reply
Keith Buck
Respected Contributor

‎03-26-2004 03:28 AM

‎03-26-2004 03:28 AM

Re: File/Directory Permissions

See http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01006

HP-UX 11.22 (11i version 1.6) and later have the sticky bit set on /tmp and /var/tmp as well.

HP-UX Bastille requires the HP distribution of Perl (which installs in /opt/perl by the way) because of the libraries included in the distribution. This version of Perl is included in most recent OEURs. It is possible, though not supported by HP, to compile your own Perl-Tk libraries into your version of Perl. It is also possible to hand-hack the config file, but it is a lot easier to at least start with the GUI once to get an example. The GUI is also designed to be educational as it walks you through the steps.

Concerning the comments about HP-UX shipping with defaults open, check out Install-time security for 11.23 (11i version 2.0). For more information, see:

http://www.hp.com/products1/unix/operating/security/index.html#system

This lets you bypass the GUI and select one of 3 pre-hardened configurations from the ignite screen.

For older releases (11.00, 11.11, etc.) your OS is probably already installed, so HP-UX Bastille is the way to go (will walk you through the same steps as ITS would, if it was available for those releases).

Hope that helps

-Keith
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.