Operating System - HP-UX
1834137 Members
2241 Online
110064 Solutions
New Discussion

Fresh 11iv3 install has SU_DEFAULT_PATH active?

 
SOLVED
Go to solution
Jason Boissiere_1
New Member

Fresh 11iv3 install has SU_DEFAULT_PATH active?

Fresh install of 11.31 on PA-RISC and there are four active entries in /etc/default security;

UMASK
ABORT_LOGIN_ON_MISSING_HOMEDIR
NOLOGIN
SU_DEFAULT_PATH

The last one tripped up some application scripts that expected su subshells to retain the parent PATH value. Is this standard behaviour for a fresh install of 11iv3, and is it documented anywhere?
7 REPLIES 7
Peter Leddy_1
Esteemed Contributor

Re: Fresh 11iv3 install has SU_DEFAULT_PATH active?

Have you seen this, it's from http://docs.hp.com/en/B2355-91024/B2355-91024.pdf

This attribute defines a new default PATH environment value to be set when su to a
non-superuser account is done. Refer to su(1).
SU_DEFAULT_PATH=new_PATH
The PATH environment variable is set to new_PATH when the su command is
invoked. The path value is not validated. This attribute does not apply to a superuser
account, and is applicable only when the "-" option is not used with the su command.
Default value: If this attribute is not defined or if it is commented out, PATH is not
changed.


So from my reading of the above you could change your scripts to use "-" with su or if you don't want it at all just comment it out.

Hope this helps,

Peter
Jason Boissiere_1
New Member

Re: Fresh 11iv3 install has SU_DEFAULT_PATH active?

Thanks for the response, but I understand what the variable does and how I could avoid its effects. I was looking for more specific info.

I'm QAing the product it affects, so I need to know if this is standard behaviour, which will require changes to our product, or something anomalous, which is unlikely to affect our customers.

Can anyone with a fresh 11iv3 confirm those variables as active on their systems? Can anyone point me to some documentation for this change? Can anyone suggest options I may have selected during my install that would have made these variables active?
Geoff Wild
Honored Contributor

Re: Fresh 11iv3 install has SU_DEFAULT_PATH active?

I just did a MCOE 11.31 cold install on Itanium - and in my /etc/default/security, everything is commented out.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Keith Buck
Respected Contributor
Solution

Re: Fresh 11iv3 install has SU_DEFAULT_PATH active?

Jason,

Did you select an Install Time Security Level at install-time? Run 'bastille -l' to find the config which may have been applied.

I believe this would explain the situation you are in. The install time levels are documented in the 11.31 and 11.23 release notes. We would be interested in more details of your problem as you find out more so we can make sure this tradeoff is adequately documented in the Bastille question, as well as any other problems you might notice with an unexpected security level applied. (assuming my guess is correct) We tried to make the documentation clear, but it sounds like you may not have had the opportunity to read it yet :)

Hope that helps.

-Keith
Jason Boissiere_1
New Member

Re: Fresh 11iv3 install has SU_DEFAULT_PATH active?

That looks like the answer, yes.

# bastille -l
The last bastille run corresponds to the following profiles:
/etc/opt/sec_mgmt/bastille/configs/defaults/HOST.config
/etc/opt/sec_mgmt/bastille/config

Looking at this document; http://docs.hp.com/en/5187-2725/ch02s04.html
; confirms that config file is used if sec10host is selected during install. I don't remember choosing that option, but the evidence is fairly damning.

There's nothing about install-time security or bastille in;
http://docs.hp.com/en/5991-6451/5991-6451.pdf
; but I suspect that's because the functionality was added in 11iv2. That was factory-installed on our hardware, so 11iv3 is my first install with the functionality. Guess I should have RTFM a little more closely.

Thanks.
Keith Buck
Respected Contributor

Re: Fresh 11iv3 install has SU_DEFAULT_PATH active?

Yes, the release notes for 11i v2 included much more detail about Install-time security because it was new then.

I find it interesting that out of the 80 or so changes that the Host level configured on your system, you didn't mention any of the rest. We are interested in feedback on the right default Install-time Security level (right now it is "tools only, do nothing") and it sounds like most of the changes had little impact on you.

In surveys we've gotten a fairly positive response that folks would like a higher default security level, but it's unclear in those surveys if the respondents had enough details to make an informed decision. Since you just got tripped up by it, your input would be valuable.

Thanks, and glad I was able to help you find the cause...

-Keith
Jason Boissiere_1
New Member

Re: Fresh 11iv3 install has SU_DEFAULT_PATH active?

We don't use our system for any kind of production, it's exclusively QA of our products, so our usage is fairly narrow. On a quick inspection, the only other changes in the sec10 list likely to impact us are the NFS restrictions and the stricter default umask. Overall the list looks very sensible to me.