HPE Community
Operating System - HP-UX
1820571 Members
2229 Online
109626 Solutions
New Discussion юеВ

Lock down /var/spool/sockets/pwgr?

 
SOLVED
Go to solution
Trever Furnish
Regular Advisor

тАО09-16-2002 08:30 AM

тАО09-16-2002 08:30 AM

Lock down /var/spool/sockets/pwgr?

Under HPUX 11.11 (and probably others), we have a directory, /var/spool/sockets/pwgr, which seems to hold only socket files.

All of these sockets are created world-writable. More importantly, the directory itself is world-writable, without having the sticky bit set.

I've cleaned up everything else already, removing the o+w bit from most files and directories that had it, setting the rest to sticky - but I'm not sure of the effect on this particular directory.

Can anyone provide info on that directory and how restrictive the permissions can be or how lax they have to be? I'd really prefer not to leave any world-writable directories or normal files without the sticky bit set.
Hockey PUX?
0 Kudos
Reply
4 REPLIES 4
Rodney Hills
Honored Contributor

тАО09-16-2002 08:34 AM

тАО09-16-2002 08:34 AM

Solution

Re: Lock down /var/spool/sockets/pwgr?

This topic came up recently. see-
http://search.hp.com/redirect.html?url=http%3A//forums.itrc.hp.com/cm/QuestionAnswer/1,,0xcc11543254bfd611abdb0090277a778c,00.html&qt=pwgr&hit=1

Generally it has to do with the password/group cache.

-- Rod Hills
There be dragons...
Reply
Anil C. Sedha
Trusted Contributor

тАО09-16-2002 08:35 AM

тАО09-16-2002 08:35 AM

Re: Lock down /var/spool/sockets/pwgr?

Hi,

I believe you should leave the permissions 777 only right now, and change the ownership to root:root.

This will resolve all your issues. Also, the applications should set a sticky bit against their own id's under this directory.

That's what i have on all of my systems.

Regards,
Anil
If you need to learn, now is the best opportunity
0 Kudos
Reply
Trever Furnish
Regular Advisor

тАО09-16-2002 08:40 AM

тАО09-16-2002 08:40 AM

Re: Lock down /var/spool/sockets/pwgr?

Anil,

Setting stuff 777 is exactly what I DON'T want to do - if you have a file mode 777 it doesn't matter who owns it, anyone can write to it. That means any app that can write to /var at all can fill it completely by writing to that directory. It also means that any app can delete the files in the directory, presumably causing negative effects on whatever is using them.

On the other hand, I haven't yet read the link listed above - perhaps that will shed more light on it.
Hockey PUX?
0 Kudos
Reply
Trever Furnish
Regular Advisor

тАО09-16-2002 08:44 AM

тАО09-16-2002 08:44 AM

Re: Lock down /var/spool/sockets/pwgr?

The linked discussion is enough of an answer, although I'll say in passing that I think it's irresponsible of HP to ship the OS in this state in the first place. Thanks for the info, guys - I'll disable it.
Hockey PUX?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.