HPE Community
Operating System - HP-UX
1847501 Members
3506 Online
110265 Solutions
New Discussion

Re: su set to public executable

 
SOLVED
Go to solution
OzTEXS
Advisor

‎05-02-2004 12:37 PM

‎05-02-2004 12:37 PM

su set to public executable

hi all,

just looking through our audit report and it seems our "su" command is set to public executable, which is a audit breech.

my question is, if the attributes of su are
"-r-sr-xr-x" how can I change this so its no longer public executable.

We are running HP-UX v11.0 ?

Kind Regards,
oz
0 Kudos
Reply
7 REPLIES 7
Procnus
Frequent Advisor

‎05-02-2004 01:57 PM

‎05-02-2004 01:57 PM

Re: su set to public executable

My first thought is that you don't want to change the execute permissions. If you remove execute permissions for all you won't be able to su to root from a normal user login. That could cause problems in future. I'd leave it alone.

Steven
0 Kudos
Reply
OzTEXS
Advisor

‎05-02-2004 02:23 PM

‎05-02-2004 02:23 PM

Re: su set to public executable

I want to leave it alone however, according to auditors its a security breech. Here are the auditors comments.

" The su command was set to public executable, with the result that account hacking by any users using this command would not be subject to intruder lockout."

I was thinking chmod 4550 may do the trick ?

Cheers,
oz
0 Kudos
Reply
Michael Tully
Honored Contributor

‎05-02-2004 02:39 PM

‎05-02-2004 02:39 PM

Solution

Re: su set to public executable

I'd recommend you leave it alone. The 'su' binary is used by a number of items, especially scripts and many applications. I've never seen any auditing requirement in 20 years of IT that has stipulations like this. I would be getting these auditors to sign off on doing this making it there responsibility. I would never remove this access without questioning it quite strongly and even then if your system falls apart by not been able to administer it properly make sure your managment know who are the guilty party. Each use of 'su' is logged into the /var/adm/sulog in any case for auditing successful and unsuccessful. The best way of typing up passwords is to change them frequently using either (man4 password) or by setting your system to trusted. You could also implement 'sudo' particularly for sys admins.
Anyone for a Mutiny ?
Reply
Michael Tully
Honored Contributor

‎05-02-2004 02:48 PM

‎05-02-2004 02:48 PM

Re: su set to public executable

I've read the comments from your auditors ....

The safeguard in the 'su' program is that any account other than root, requires a password to continue. Changing it can render your system useless. I would rather have the 'su' command open for use with the ability to make sure that a password is entered, rather than be able to log in as root directly. Changing it to 4550 is no good either. Is your system going to get hacked internally in your own company?? If you have the system in a DMZ for example (out in internet land) there are far better ways to secure your system.
Anyone for a Mutiny ?
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎05-02-2004 02:51 PM

‎05-02-2004 02:51 PM

Re: su set to public executable

Hi,

Su command has to be world executable. There is no beating around the bush with that. Do your auditors know what they are auditing and the impact in demanding things like this. Looks like this is their first experience with this kind of auditing.

Hope this helps.

Regds
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-02-2004 02:55 PM

‎05-02-2004 02:55 PM

Re: su set to public executable

The purpose of su is to allow an ordinary user to gain access to another account (including root). To disable public execution rights essentially disables the command for all but root. This could seriously disable your applications if they use su (like Oracle scripts).

However, the implication that users could launch attacks without a lockout is not correct for patched versions of HP-UX. Repeated su attempts will lockout any target account, just like telnet attacks. su will not provide the attacker with any feedback that the account was disabled. su uses PAM for authentication just like login/passwd.


Bill Hassell, sysadmin
0 Kudos
Reply
OzTEXS
Advisor

‎05-02-2004 02:57 PM

‎05-02-2004 02:57 PM

Re: su set to public executable

Thanks all,

i have sent an email to our head office admins to ask what they have their su command set at. this will give me an indication on how they have there system setup.

Awaiting reply ....
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.