We're trying to stop a certain group from telneting/sshing out from a server. This is something that is done on Solaris within the firm, but this is the first time we're attempting it on HP-UX.
They use setfacl on Solaris, I've used setacl on HP-UX.
We're removed access to /dev/tcp and /dev/udp for a group called "hcl".
Everything looks cool but doesn't have the desired affect.
$ id
uid=98512(username) gid=106(hcl) groups=20(users)
$ groups
hcl users
$ getacl /dev/tcp
# file: /dev/tcp
# owner: root
# group: root
user::rw-
group::rw-
group:hcl:---
class:rw-
other:rw-
$ telnet 10.216.34.12 2222
Trying...
Connected to 10.216.34.12.domain.com.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.8p1
CLOSE
Protocol mismatch.
Connection closed by foreign host.
Here's how it works on Solaris: (group is called noaccess instead of hcl.
$ id
uid=69(username) gid=0(root)
$ groups
root noaccess
$ getfacl /dev/tcp
# file: /dev/tcp
# owner: root
# group: sys
user::rw-
group::rw- #effective:rw-
group:noaccess:--- #effective:---
mask:rw-
other:rw-
$ getfacl /dev/udp
# file: /dev/udp
# owner: root
# group: sys
user::rw-
group::rw- #effective:rw-
group:noaccess:--- #effective:---
mask:rw-
other:rw-
$ telnet 10.216.34.12
<--- NOTE THAT AT THIS POINT, username CAN'T EVEN READ /dev/udp SO NAME LOOKUP FAILS
10.216.34.12: Unknown host
$ getfacl /dev/udp
# file: /dev/udp
# owner: root
# group: sys
user::rw-
group::rw- #effective:rw-
mask:rw-
other:rw-
$ telnet staupif1 2222 <--- AT THIS POINT, /dev/udp IS READABLE BUT /dev/tcp IS NOT
Trying 10.216.34.12...
telnet: socket: Permission denied
Any ideas why we're not seeing the expected results?
