HPE Community
Operating System - HP-UX
1819934 Members
3324 Online
109607 Solutions
New Discussion юеВ

hp-ux /sbin, /usr/bin, /usr/lbin files has execution rights on others

 
jwpark2
Frequent Visitor

тАО02-28-2017 03:35 PM

тАО02-28-2017 03:35 PM

hp-ux /sbin, /usr/bin, /usr/lbin files has execution rights on others

question about user permission on files

files on

/sbin, /usr/bin, /usr/lbin, and so on....

why some files(actually many many files) have permission others to execute.

my english is poor

for example

vgchange, vgmodify files have r-xr-xr-x, why others has execution rights?

how can i change this efficiently?

0 Kudos
Reply
4 REPLIES 4
Steven Schweda
Honored Contributor

тАО02-28-2017 05:05 PM

тАО02-28-2017 05:05 PM

Re: hp-ux /sbin, /usr/bin, /usr/lbin files has execution rights on others

> why some files(actually many many files) have permission others to
> execute.

   Why not?  What harm can an unprivileged user do with such a program?

   Many programs can produce reports which might be interesting to an
unprivileged user.

> how can i change this efficiently?

   First, don't do it.

   Second, don't do it, unless you have a very good reason.

   Third, what, exactly, do you want to change, and to what?


   "chmod" changes file permissions.  "find" finds files according to
various criteria.  As usual, many things are possible.  Many possible
things are unwise.  Is there some actual problem which you are trying to
solve?  If not, then why go looking for trouble?

0 Kudos
Reply
jwpark2
Frequent Visitor

тАО02-28-2017 06:37 PM - edited тАО02-28-2017 07:17 PM

тАО02-28-2017 06:37 PM - edited тАО02-28-2017 07:17 PM

Re: hp-ux /sbin, /usr/bin, /usr/lbin files has execution rights on others

Thanks for you reply, and I'm sorry about this.

I think this is really stupid question.

I want to change these file's permission to "r-xr-x---"(all files in /sbin, /usr/bin, usr/lbin, and so on). I know about commands.

I want to know why default permission setting is r-xr-xr-x.

 

There is an security guideline and security vulnerabilities checking scripts.

It says if there is "unnecessary" permission on executable files, you should remove.

And somebody (actually they are not professional about unix systems and security) run scripts.

On output file of this scripts, there is too many executable files(r-xr-xr-x),

They do not say "Why these files have permission r-xr-xr-x?",

They just say "Others should not have execution rights, change these files r-xr-x---".

How can I explain about this?

Is there some official documents about this?

 

 

0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО02-28-2017 08:24 PM

тАО02-28-2017 08:24 PM

Re: hp-ux /sbin, /usr/bin, /usr/lbin files has execution rights on others

> It says if there is "unnecessary" permission on executable files, you
> should remove.

   Who says what is necessary and what is unnecessary?

>    Many programs can produce reports which might be interesting to an
> unprivileged user.

   Should an unprivileged user be stopped from using "mount" to see a
list of the mounted file systems?  Why?  How would that improve
security?

> I want to know why default permission setting is r-xr-xr-x.

   Why not?  These programs are generally harmless.  Some may be able to
do dangerous things, but they shouldn't do these dangerous things for an
unprivileged user.  But, like "mount", many of them can do useful things
for an unprivileged user.

> I want to change these file's permission to "r-xr-x---"(all files in
> /sbin, /usr/bin, usr/lbin, and so on).

   I can't stop you.  But you may break things for any unprivileged user
who expects to use these common (and harmless) programs.

> How can I explain about this?

   I don't know.  You might ask, "If this is such a big problem, then
why does every UNIX (and UNIX-like) system in the world have the same
big problem?"  (Perhaps it's because this is _not_ a problem.)

   Before you change all these permissions, you might want to think
about how to undo the damage when you start having problems after you
make the changes.  (Or will the people who run these "security"-checking
scripts fix all the problems after you follow their recommendations?)

> Is there some official documents about this?

   I don't know.  Is there any documentation which says that the file
permissions in these directories are an actual security problem?

   Typically, when some "expert" makes changes like this, normal users
get frustrated because they now can't do normal things.  When only
"root" can do normal things, then everyone wants to be "root".  This may
not be the best way to improve security.

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО03-04-2017 06:18 PM

тАО03-04-2017 06:18 PM

Re: hp-ux /sbin, /usr/bin, /usr/lbin files has execution rights on others

>I want to change these file's permission to "r-xr-x---" (all files in /sbin, /usr/bin, usr/lbin, and so on).

 

If you change /usr/bin/ you will be rode out of town on a rail.

 

> Is there some official documents about this?

 

Yes, if you use swverify it will complain you changed the permission.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.