HPE Community
Operating System - HP-UX
1847073 Members
5107 Online
110262 Solutions
New Discussion

links owned by nobody?

 
Ratzie
Super Advisor

‎03-28-2008 11:53 AM

‎03-28-2008 11:53 AM

links owned by nobody?

Just built hp 11.11 and I am running thru the CIS benchmarks.

I have links that are not owned by anybody...
Is this right?
We will fail our security audit on this.


5.3 FIND "UNOWNED" FILES & DIRECTORIES
------------------------------------------------
# find / \( -nouser -o -nogroup \) -print


/opt/VRTSob/jre/bin/.start_xfs
/opt/VRTSob/jre/bin/java
/opt/VRTSob/jre/bin/keytool
/opt/VRTSob/jre/bin/policytool
/opt/VRTSob/jre/bin/rmid
/opt/VRTSob/jre/bin/rmiregistry
/opt/VRTSob/jre/bin/tnameserv
/opt/VRTSob/jre/lib/PA_RISC/hotspot
/opt/VRTSob/jre/lib/PA_RISC/libmawt.sl
/opt/VRTSob/jre/lib/PA_RISC2.0/hotspot
/opt/VRTSob/jre/lib/PA_RISC2.0/libmawt.sl
/usr/obam/jre/bin/javakey
/usr/obam/jre/bin/rmiregistry
/usr/obam/X/bin/X
/usr/obam/X/lib/X11/XKeysymDB
/usr/obam/X/lib/libX11.sl
/usr/obam/server/logs


...
lrwxrwxrwx 1 4484 119 13 Mar 26 15:07 java -> .java_wrapper
lrwxrwxrwx 1 4484 119 13 Mar 26 15:07 keytool -> .java_wrapper
lrwxrwxrwx 1 4484 119 13 Mar 26 15:07 policytool -> .java_wrapper
lrwxrwxrwx 1 4484 119 13 Mar 26 15:07 rmid -> .java_wrapper
...
0 Kudos
5 REPLIES 5
James R. Ferguson
Acclaimed Contributor

‎03-28-2008 12:01 PM

‎03-28-2008 12:01 PM

Re: links owned by nobody?

Hi:

The ownership and permissions of symbolic links don't matter. It's the ownership and permissions of the object to which they point that is important.

Tell your auditors to find another concern.

You can use 'chown -h' to fix the ownership of the links if you wish.

Regards!

...JRF...
0 Kudos
Patrick Wallek
Honored Contributor

‎03-28-2008 12:32 PM

‎03-28-2008 12:32 PM

Re: links owned by nobody?

You should really amend your find. If you want to follow the letter of the benchmark, then you should be doing:

Find unowned directories
# find / -type d \( -nouser -o -nogroup \) -print

Find unowned files
# find / -type f \( -nouser -o -nogroup \) -print

As James said, the permissions of a link is really irrelevant. If you really want to get technical, the auditors would also complain about the permissions on the link since they are '777'.
0 Kudos
Dennis Handly
Acclaimed Contributor

‎03-28-2008 04:29 PM

‎03-28-2008 04:29 PM

Re: links owned by nobody?

>JRF: The ownership and permissions of symbolic links don't matter.

Right.

>Tell your auditors to find another concern.

Unfortunately we had to make a patch to fix some links on 11.23 because it was mentioned that if that user was removed from the system, the links could be removed.

>Patrick:
>Find unowned directories
>Find unowned files

Rather than waste time doing two finds, you can combine them:
# find / \( -type f -o -type d \) \( -nouser -o -nogroup \)

Or probably more correctly to find evil sockets:
# find / ! -type l \( -nouser -o -nogroup \)

>auditors would also complain about the permissions on the link since they are 777.

They may be just smart enough to know that. And that would occur on other OSes but probably not those unowned links.
0 Kudos
Ratzie
Super Advisor

‎03-29-2008 12:13 PM

‎03-29-2008 12:13 PM

Re: links owned by nobody?

Actually, CIS benchmarks should modify the HP benchmarks.
It's unfortunate that HP/Opsware uses these benchmarks directly for their audits.

So we will continue to fail on these audits, until they modify this.
0 Kudos
Dennis Handly
Acclaimed Contributor

‎03-30-2008 02:22 AM

‎03-30-2008 02:22 AM

Re: links owned by nobody?

>It's unfortunate that HP/Opsware uses these benchmarks directly for their audits.
>So we will continue to fail on these audits, until they modify this.

Have you contacted the owners of /opt/VRTSob and /usr/obam so they can fix the problem?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.