Re: File permissions after default UNIX HP-UX installation

Bolek Mynarski · ‎10-11-2000

We are trying to tighten security on our systems so we ran some reports on security in place. It was absolutely astonishing to find out that directories like:

/usr/local
/usr/local/man
/usr/share/man/cat1.Z through cat8.Z
/usr/local/etc
/usr/local/lib
/var/adm/streams
/var/adm/diag
(just to name a few)

have 777 permissions set! Isn't that a disaster waiting to happen? What if a user decides to use those directories for some files s/he would want to store?

In any case, where can I find some info on HP-UX default perms? What scares me the most is the fact that the systems came this was factory pre-installed.

Is it safe to assume that none of the system directories/files should be 777?

Thanks in advance.

It'snever too late to learn new things...

CHRIS_ANORUO · ‎10-11-2000

The permissions (777) on those files mentioned are okay. Those directories are availble for every user to write into or access. For the /usr/share/man, you will notice that if you do a new man on an online document, it first formats it (unzips the file) and makes it available on display.

When We Seek To Discover The Best In Others, We Somehow Bring Out The Best In Ourselves.

James R. Ferguson · ‎10-11-2000

Hi:

This is not quite as bad as first blush would suggest. The list you have given represent directories. In general, you want to be able to have users write into and delete from directories. On an individual basis and on different subdirectories you could certainly tighten down (e.g. 755).

You can improve things by setting the sticky bit on directories:

# umask 022
# chmod 1777

In this case, all users can write to the directory but they can ONLY remove files for which they have explicit write permission.

Hopefully this helps.

...JRF...

Cheryl Griffin · ‎10-11-2000

If you want the system to check if the permissions are set to the default, try swverify. It will give you a detailed report for a particular fileset or for all filesets.

For example:
# swverify -v check_permission=true SystemAdmin
# swverify -v {backlash_here}*
Literally use the backslash. There's a problem in the Forums displaying backslashes until the ITRC is updated.)

If you are looking for documentation, try this link. (I used "default permissions" in a search from docs.hp.com).
http://docs.hp.com/dynaweb/hpux10/hpuxen0a/b685/@ebt-link;nh=1?window=CURRENT;target=%25N%14_8817_START_RESTART_N%25;DwebQuery=default+permissions

"Downtime is a Crime."

Bolek Mynarski · ‎10-11-2000

I wonder if I am the only one seeing a problem with setting /user/share/man (and below and maybe /usr/local/etc, /usr/local/lib) to 0777? What keeps a user from simply removing its content with a swift "rm -rf," might that be by mistake or simply being malicious? How about filling those directories with junk files taking up precious space?

I was comparing settings with my Linux box and perms there are set to 0755.

I thought I'd just throw it on the floor to see what other people think.

Thanks.

It'snever too late to learn new things...

Matt Loveland · ‎10-11-2000

I agree that these permissions do not look right. I just completed a fresh install and am looking at this type of information and my goal is to create a script that can be run after installation to fix some of these things automatically. If someone knows of a script or program that already does this, I would be interested in seeing it.

As far as the /usr/share/man/cat* directories go, I just remove them all together. The time that it takes to re-format the man pages each time they are used is a lot less than dealing with the wide open permissions.

I'm curious as to why the default install does not set the sticky bit on /tmp?

Thanks,
Matt Loveland

Bill Hassell · ‎10-11-2000

The dfault permissions on all versions of 10.x and 11.x for /usr/local (and all subdirectories) are incorrect and must be fixed as part of a standard installation.

It's not clear why they were changed from the 'normal' 755 from all previous versions of HP-UX but clearly the change was not made with the knowledge of dozens of years of legacy Unix applications. These apps may install into /usr/local and may not have an option to move them.

This means that users will put /usr/local into their path, and with wide open 777 permissions, anyone can put Trojan horses into this directory (like su or even the gerp command which is a common mispelling for grep).

So fix all your systems to take away write privileges for /usr/local directories with:

find /usr/local -type d -exec chmod go-w {} ;

Note: There must be a backslash-semicolon at the end of the exec command...ITRC code currently may have problems showing the backslash character.

As fas as the sticky but, this is a good technique to prevent users from clobbering each other's files in /tmp. However, /var/tmp is the *correct* directory for users, not /tmp. /tmp and /var/tmp should both have the sticky bit set. To my knowledge, HP-UX has never installed these directories with the bit set.

Bill Hassell, sysadmin

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: File permissions after default UNIX HP-UX installation

File permissions after default UNIX HP-UX installation