Operating System - HP-UX
1833904 Members
1888 Online
110063 Solutions
New Discussion

Restricting owner permissions for software depots

 
SOLVED
Go to solution
David Lodge
Trusted Contributor

Restricting owner permissions for software depots

I am planning to force our developers to only release software as software depots (to force versioning and backouts etc)

My question is, is how can I stop the developer doing something like the following in the PSF file:
file_permissions -o root -m 4555
file /usr/bin/sh=/tmp/myrootshell

Or is the only way to do a wrapper script to lock the PSF file into one that they can't alter?

Thanks

dave
5 REPLIES 5
Bill McNAMARA_1
Honored Contributor

Re: Restricting owner permissions for software depots

David Lodge
Trusted Contributor

Re: Restricting owner permissions for software depots

That thread isn't the same as my question - that refers to who has permissions on the depot/package. I want to know how to restrict permissions *within* a developer created package...
harry d brown jr
Honored Contributor

Re: Restricting owner permissions for software depots

Are you installing the package as the root user or as another user?

Write a script to "browse" their package to ensure that they haven't done such. Also, if they have root on their development machine and they chmod 7555 on ksh and put it into their package, then it will come over with 7555 without the file_permission attribute.

You could easily set a policy regarding "packages" and anyone found "cheating" will be reprimanded. Before an install do this:

find / \( -perm -4000 -o -perm -2000 \) -exec ls -ld {} \; >/tmp/pre_modes

then after the install do this:

find / \( -perm -4000 -o -perm -2000 \) -exec ls -ld {} \; >/tmp/post_modes
diff /tmp/pre_modes /tmp/post_modes

If there are differences that are not documented, then act on it.

There are legitimate reasons for having files set with root ownership and/or setuid/gid. If it's not documented that this will occur, then again act on it.

live free or die
harry
Live Free or Die
David Lodge
Trusted Contributor

Re: Restricting owner permissions for software depots

Oh well - I'd hoped that there would be an easy answer to this...

I'll just have to strictly control the PSF - doing a tripwire scan of all important files will be too time consuming after every package install! (Not just checking for suid files as they could do much much worse!)

dave
harry d brown jr
Honored Contributor
Solution

Re: Restricting owner permissions for software depots

In the file /var/adm/sw/defaults you could set run_as_superuser=false, which restricts the user to making changes of permissions to only their user name.

live free or die
harry
Live Free or Die