HPE GreenLake Administration
Operating System - HP-UX
1838642
Members
2078
Online
110128
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2001 08:31 AM
10-22-2001 08:31 AM
fuser
Can someone tell me what kind of security issues there are with the command "fuser". Currently we only allow our Sys. Admins. to have fuser privilages. Our Oracle DBA group has requested to have it. In the C2 checklist I believe it is recommended to disable the use of this command.
"Who moved my cheese?"
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2001 08:37 AM
10-22-2001 08:37 AM
Re: fuser
One thing to keep in mind is that a normal user can copy the fuser executable and just run it as a normal user...so if you're really concerned about security, then you should probably remove the read permissions for other on the /usr/sbin/fuser command.
In response to your original question, fuser allows a user to see the executables that are currently using a give file/filesystem. Not really sure what kind of security implications this might have.
-Santosh
In response to your original question, fuser allows a user to see the executables that are currently using a give file/filesystem. Not really sure what kind of security implications this might have.
-Santosh
Life is what's happening while you're busy making other plans
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2001 08:44 AM
10-22-2001 08:44 AM
Re: fuser
Security implication of giving access to fuser is that it enables killing of processes with no pattern. For ex., if the DBA is given access to use fuser, he/she can kill not only the database processes but also the other processes using the file/file system instead of selective killing which is not a good way of fixing the problem.
-Sri
-Sri
You may be disappointed if you fail, but you are doomed if you don't try
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2001 08:53 AM
10-22-2001 08:53 AM
Re: fuser
Yes, you should be very careful of who has access to fuser, since it not only can tell you what processes a device/filesystem etc has open, but the -k option allows them to kill those processes as well. It shouldn't be given to anyone that doesn't already have access to kill other users processes. And also should only be given to those that know how to use if correctly.
I would suggest looking into lsof instead for your DBAs to use. There may be security implications there as well, but nothing obvious that I can think of.
I would suggest looking into lsof instead for your DBAs to use. There may be security implications there as well, but nothing obvious that I can think of.
Ye who thinks he has a lot to say, probably shouldn't.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2001 08:55 AM
10-22-2001 08:55 AM
Re: fuser
The most serious problem is the fuser -k. While this is not a setuid root program and thus your DBA's could not kill processes that they do not own there is still a BIG problem using fuser -k - it sends a SIGKILL (kill -9) - a very BAD way to kill any process.
If I were going to allow non-root users to execute fuser, I would create a wrapper which prevents executing with -k. The other answer is to load lsof; if you like you could download the source and make the command do as little as you want.
Regards, Clay
If I were going to allow non-root users to execute fuser, I would create a wrapper which prevents executing with -k. The other answer is to load lsof; if you like you could download the source and make the command do as little as you want.
Regards, Clay
If it ain't broke, I can fix that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2001 09:05 AM
10-22-2001 09:05 AM
Re: fuser
My 2 cents:
Being a security nut, I disagree with the statement that fuser access should be restricted. One should never base their security on the lack of knowledge. I personally prefer lsof over fuser, as lsof gives useful information. Keeping information out of the hands of outsiders is one thing, restricting the productivity of admins, whether they be dba's or sa's or application administrators, is pure madness.
Look at this document to secure your server:
http://people.hp.se/stevesk/bastion11.html
and this to obtain lsof:
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/lsof-4.55/
I've had and won many arguments that if outsiders were to obtain our ip addresses then they could attack us. Well that is a crock of doo. First we protect our selves by using firewalls, routers, and bastian servers. What does having knowledge about ip's have to do with anything? Exactly, nothing!
In general, it's usually the people that know nothing about security in general, security in unix, or application security that are placed in charge of security. Why? I have no idea! Ask your admin to ease up.
harry
live free or die
Being a security nut, I disagree with the statement that fuser access should be restricted. One should never base their security on the lack of knowledge. I personally prefer lsof over fuser, as lsof gives useful information. Keeping information out of the hands of outsiders is one thing, restricting the productivity of admins, whether they be dba's or sa's or application administrators, is pure madness.
Look at this document to secure your server:
http://people.hp.se/stevesk/bastion11.html
and this to obtain lsof:
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/lsof-4.55/
I've had and won many arguments that if outsiders were to obtain our ip addresses then they could attack us. Well that is a crock of doo. First we protect our selves by using firewalls, routers, and bastian servers. What does having knowledge about ip's have to do with anything? Exactly, nothing!
In general, it's usually the people that know nothing about security in general, security in unix, or application security that are placed in charge of security. Why? I have no idea! Ask your admin to ease up.
harry
live free or die
Live Free or Die
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP