HPE Community
Operating System - HP-UX
1833758 Members
2419 Online
110063 Solutions
New Discussion

Stickybit Configuration on HP-UX 11.23

 
SOLVED
Go to solution
apple
Super Advisor

‎11-14-2007 10:55 PM

‎11-14-2007 10:55 PM

Stickybit Configuration on HP-UX 11.23

Dear HP-UX Gurus,
I heard that our operators can shutdown server by not using our root id. It can behave like the root to shutdown the server by configuring the shutdown file as sticky bit file. but i just don't know how can i do this.. which shutdown file to set? please helppp. Hope to hear from you. Thank you.
-Finas-
0 Kudos
Reply
15 REPLIES 15
Dennis Handly
Acclaimed Contributor

‎11-14-2007 11:01 PM

‎11-14-2007 11:01 PM

Solution

Re: Stickybit Configuration on HP-UX 11.23

>I heard that our operators can shutdown server by not using our root id.

Yes, see shutdown(1M) and /etc/shutdown.allow.
The sticky bit is only needed on the executable.
Reply
apple
Super Advisor

‎11-14-2007 11:05 PM

‎11-14-2007 11:05 PM

Re: Stickybit Configuration on HP-UX 11.23

I don't really understand high level technical language. would really appreciate you can guide me with example. Many thanks in advance
I promise of good points.:)
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎11-14-2007 11:12 PM

‎11-14-2007 11:12 PM

Re: Stickybit Configuration on HP-UX 11.23

Hi Fanas,

Create a file called /etc/shutdown.allow
# vi /etc/shutdown.allow
root server_name
user server_name
:wq
# chmod 400 /etc/shutdown.allow

Chane the "user" and "server_name" into the desired user and your system name.

Regards,
Robert-Jan
Reply
Dennis Handly
Acclaimed Contributor

‎11-14-2007 11:16 PM

‎11-14-2007 11:16 PM

Re: Stickybit Configuration on HP-UX 11.23

>I don't really understand high level technical language.

I just said read the shutdown man page. It discusses the file /etc/shutdown.allow, which you can add other user IDs.
http://docs.hp.com/en/B2355-60130/shutdown.1M.html

Or:
$ man 1m shutdown
Reply
Ivan Krastev
Honored Contributor

‎11-14-2007 11:20 PM

‎11-14-2007 11:20 PM

Re: Stickybit Configuration on HP-UX 11.23

If you want more than 'shutdown' install and configure SUDO.

regards,
ivan
Reply
apple
Super Advisor

‎11-14-2007 11:23 PM

‎11-14-2007 11:23 PM

Re: Stickybit Configuration on HP-UX 11.23

where is the sticky bit?
do we have to change the file permission to sticky bit?
I found this example:
Use a stickybit so that only owner of the file will be able to delete the file.

Set the basic permission
#chmod 766

After that

#chmod u+t ( Sticky bit )

After setting stickybit the permissions can be viewed as follows.

-rwxrw-rwT 1 root sys 1276 Jul 12 2002 xyz

Huhuh. I confuse now. I heard with sticky bit on the shutdown file, the operator login to the server using operator id but can perform shutdown when execute the shutdown file. Please englighten me...
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎11-14-2007 11:31 PM

‎11-14-2007 11:31 PM

Re: Stickybit Configuration on HP-UX 11.23

Hi Finas,

No need to set the sticky bit on the shutdown executable, the shutdown.allow file is enough.

Regards,
Robert-Jan

Reply
Dennis Handly
Acclaimed Contributor

‎11-14-2007 11:36 PM

‎11-14-2007 11:36 PM

Re: Stickybit Configuration on HP-UX 11.23

>Robert-Jan: No need to set the sticky bit on the shutdown executable

More correctly, the bit IS already set, otherwise shutdown.allow won't work.
Reply
James R. Ferguson
Acclaimed Contributor

‎11-14-2007 11:53 PM

‎11-14-2007 11:53 PM

Re: Stickybit Configuration on HP-UX 11.23

Hi:

> The sticky bit is only needed on the executable.

It is NOT the sticky bit that is set on '/sbin/shutdown'. It is the 'setuid' bit.

When set, a non-owner of the executable who runs the executable runs it with the same effective user-id as the owner. For example, if 'shutdown.allow' is configured to allow user "finas" to shutdown a server, then when "finas" runs 'shutdown' his/her effective uid is 'root', because the SETUID bit is set and the executable file is owned by 'root'.

Please see the 'chmod(1)' and 'chmod(2)' manpages for more information.

When you configure '/etc/shutdown.allow' be sure to include 'root' along with your aother users. For example:

myserver1 root
myserver1 finas

The manpages for 'shutdown(1M)' document the use of this file, as noted.

Regards!

...JRF...
'
Reply
Srikanth Arunachalam
Trusted Contributor

‎11-14-2007 11:59 PM

‎11-14-2007 11:59 PM

Re: Stickybit Configuration on HP-UX 11.23

Hi,

Plz see the definition of sticky bit in simple terms.

The â Sticky Bitâ is a permission bit that can be set on either a file or a directory.

If it is set on a file, then that file will remain in memory after execution, thus â stickingâ in memory. This is useful when running a multi-user program (such as a bulletin board system that I ran once) to make the program execute faster for the next user. This was a common programming tactic earlier in the history of computer programming when speed and disk space were at a premium.

If the sticky bit is set on a directory, only the owner of files in that directory will be able to modify or delete files in that directory - even if the permissions set on those files would otherwise allow it.

It executes from user and behaves as it executing from the root

Thanks,
Srikanth
Reply
apple
Super Advisor

‎11-15-2007 10:20 PM

‎11-15-2007 10:20 PM

Re: Stickybit Configuration on HP-UX 11.23

If the shutdown.allow is set as such a way:
-rwxrw-rwT 1 root sys 1276 Jul 12 2002 shutdown.allow

How does it works and affect the owner, group and other permission??? would it be better for the security of the file.
in what case and files are we really recommended to use this sticky bit.
happy to read your respond, technical and excellent
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎11-15-2007 10:32 PM

‎11-15-2007 10:32 PM

Re: Stickybit Configuration on HP-UX 11.23

>If the shutdown.allow is set as such a way:
-rwxrw-rwT 1 root sys

The sticky bit should not be set (probably doesn't matter) nor should the file be writable to everyone. Nor should the data file be executable. Change to 644.

>in what case and files are we really recommended to use this sticky bit.

As JRF corrected, it is the SUID bit on the shutdown executable that does the work.
Reply
James R. Ferguson
Acclaimed Contributor

‎11-16-2007 12:50 AM

‎11-16-2007 12:50 AM

Re: Stickybit Configuration on HP-UX 11.23

Hi (again):

> in what case and files are we really recommended to use this sticky bit.

For FILES, setting the 'sticky' bit (which when set shows as "t" or "T") in the mode listing, is really only meaningful for executable files. The idea is that the text (code instructions) of an executable file will be left in swap space when the process represented by the executable file terminates. This is supposed to lead to a faster startup of a new process when a new user executes the same file.

For files that are not executables (code) the sticky bit has no meaning.

For DIRECTORIES, setting the 'sticky' bit for the DIRECTORY adds a certain security to the FILES within. When set for a directory, files in that directory can only be removed or renamed by their *owner* of the file; the owner of the directory or, of course, by the 'root' user.

Lastly, you will encounter the 'sticky' bit set on certain symbolic links (notably '/bin' and '/lib'. This is a special setting called a "transition link". Transition links are really just symbolic links established with a special utility called "tlinstall'. They appeared during the transition from HP-UX 9x to HP-UX 10.0 when the layout of the Unix filesystems were redrafted.

If you are interested in that history, see this document:

http://docs.hp.com/en/5963-8942/index.html

Regards!

...JRF...
Reply
Sp4admin
Trusted Contributor

‎11-16-2007 01:09 AM

‎11-16-2007 01:09 AM

Re: Stickybit Configuration on HP-UX 11.23

The forum has spoken!

just create the shutdown.allow file and you and make the needed entry and you should be to go. It's also a good idea to read the man page to get a better understanding.

sp,
Reply
apple
Super Advisor

‎11-18-2007 01:32 PM

‎11-18-2007 01:32 PM

Re: Stickybit Configuration on HP-UX 11.23

Thanks a lot Gurus. :)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.