HPE Community
Operating System - HP-UX
1834757 Members
3274 Online
110070 Solutions
New Discussion

Re: root's PATH

 
SOLVED
Go to solution
James Armstrong
Advisor

‎04-14-2003 02:29 AM

‎04-14-2003 02:29 AM

root's PATH

Hi,

We have just be externally audited and one of teh recommendations is that we reduce root's path to just /usr/sbin:/sbin:/usr/bin to avoid the risk of trojans etc. I am a bit twitchy about doing this, ,has anyone got a recommendation for a minimum root path that still allows some flexibility for running most day to day commands without entering teh full path.
0 Kudos
Reply
7 REPLIES 7
Pete Randall
Outstanding Contributor

‎04-14-2003 02:35 AM

‎04-14-2003 02:35 AM

Re: root's PATH

Hi James,

The auditor's recommendation would be fine if you have no need to access other installed applications. However, if you have other applications (like Omniback, or your DB, for example), you may want to include those in your path. It really depends on how (and for what) you use root access.


Pete

Pete
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎04-14-2003 02:38 AM

‎04-14-2003 02:38 AM

Solution

Re: root's PATH

I would be very loathe to go against the minumum PATH as in /usr/newconfig/etc/PATH
/usr/bin:/usr/ccs/bin:/usr/contrib/bin
without strenuous testing to see the implications.

Ive been through many many security audits over the year - one just last week by AOL/Time Warners top security people, and they never recommended changing roots default path - which is good enough for me. I think its unnecessary.

Im from Palmerston North, New Zealand, but somehow ended up in London...
Reply
James R. Ferguson
Acclaimed Contributor

‎04-14-2003 02:39 AM

‎04-14-2003 02:39 AM

Re: root's PATH

Hi James:

This isn't bad. Consider that the default environment supplied by 'cron' for its jobs is '/usr/bin:/usr/sbin:', so the above covers the standard OS commands nicely.

Regards!

...JRF...
0 Kudos
Reply
James Armstrong
Advisor

‎04-14-2003 03:00 AM

‎04-14-2003 03:00 AM

Re: root's PATH

Thanks for that guys, I'll reduce it on one of the dev boxes for a while and see if all goes ok.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-14-2003 03:59 AM

‎04-14-2003 03:59 AM

Re: root's PATH

The auditors recommendation is a little spartan.

You can break certain applications and scripts by being that tight. Remember in cron scripts you generally have to set the path or use full path names of commands.

Do all of your sysadmin scripts do one or the other? If not, you might be buying a little trouble.

Still your test approach is top notch. Make sure you notify your auditors and problems of any problems the recommendation causes.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
John Meissner
Esteemed Contributor

‎04-14-2003 04:35 AM

‎04-14-2003 04:35 AM

Re: root's PATH

We get regular audits at work from external audit companies. They make loads of suggestions to us. We take these as SUGGESTIONS. If you run feel the need to leave things in your path statement (such as usr/contrib/bin - for gzip and gunzip) then I would leave them. They are just making suggestions which your company will need to evaluate to determine risk/benifit.
All paths lead to destiny
0 Kudos
Reply
Tim Sanko
Trusted Contributor

‎04-14-2003 07:23 AM

‎04-14-2003 07:23 AM

Re: root's PATH

Comply with the auditors fully. Remove virtually everything from the path. In the .dtprofile or
.profile for batches have a
.my_settings file with the appropriate paths. have it sourced on non-interactive
processes.

you can source it from the command line yourself

# . /root/.my_settings

This brings you into full compliance and lets you do your job. whith a minumum of
grief
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.