HPE Community
Operating System - HP-UX
1833458 Members
3249 Online
110052 Solutions
New Discussion

nddconf ownership question

 
Shabu Khan-2
Frequent Advisor

‎06-06-2007 04:44 AM

‎06-06-2007 04:44 AM

nddconf ownership question


We recently had a PCI Audit and the auditors gave us this document from the Center for Internet Security HP-UX Benchmark document and wanted us to implement them as much as we could.

I've question on the nddconf ownership, all the files under /etc/rc.config.d/* are owned by bin:bin, but this document says that the ownership should be root:sys and permissions read for everybody, I don't really see a difference, but would like to know why it should be root:sys?

Any thoughts?

Thanks,
Shabu
0 Kudos
7 REPLIES 7
Patrick Wallek
Honored Contributor

‎06-06-2007 04:50 AM

‎06-06-2007 04:50 AM

Re: nddconf ownership question

bin:bin ownership is the HP standard. I really don't see any reason to change it, especially with the permissions such as they are (read for everyone).
0 Kudos
Steven E. Protter
Exalted Contributor

‎06-06-2007 05:37 AM

‎06-06-2007 05:37 AM

Re: nddconf ownership question

Shalom,

I'm surprised at this document.

bin and root are essentially synonymous.

It makes no difference to security unless an unprivileged user gains write access to a file.

sEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Doug O'Leary
Honored Contributor

‎06-06-2007 05:50 AM

‎06-06-2007 05:50 AM

Re: nddconf ownership question

Hey;

bin:bin <-> root:sys; 6 of one. They're protected system accounts which is all that's important.

I am actually a little surprised to a security audit suggest world read capability. That's one area a black hat could research to find out what's configured to run by default and if there are any unprotected scripts that could be hacked.

Remember, everything in /etc/rc.config.d is sourced several times in a boot sequence; if someone could either edit those files or any files they call, they could very easily crack root.

Doug

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
0 Kudos
Shabu Khan-2
Frequent Advisor

‎06-06-2007 06:13 AM

‎06-06-2007 06:13 AM

Re: nddconf ownership question


Thanks Folks.
I am surprised at some of the things that are in the document as well.
Anyways, so basically there is no difference since both are protected but for consistency sake just go with bin:bin?

Thanks,
Shabu
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎06-06-2007 06:25 AM

‎06-06-2007 06:25 AM

Re: nddconf ownership question

and a very compelling reason to leave them as bin:bin is that swconfig will restore them to the default HP-UX attributes as will any future swinstall's.
If it ain't broke, I can fix that.
0 Kudos
Shabu Khan-2
Frequent Advisor

‎06-06-2007 07:03 AM

‎06-06-2007 07:03 AM

Re: nddconf ownership question


Thanks folks, I appreciate your inputs.
Closing this thread out ...

Thanks,
Shabu
0 Kudos
Shabu Khan-2
Frequent Advisor

‎06-06-2007 07:04 AM

‎06-06-2007 07:04 AM

Re: nddconf ownership question

Closed
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.