HPE Community
Operating System - HP-UX
1754869 Members
5668 Online
108827 Solutions
New Discussion юеВ

SUID & SGID

 
SOLVED
Go to solution
unixadmin_1
Frequent Advisor

тАО01-20-2009 05:35 AM

тАО01-20-2009 05:35 AM

SUID & SGID

Hi Everybody,

I want to start in new thread..I had gone through lot of answers which where not working really Please read this carefully...Please find the attached documents send already

Deviation:-
The following Audit Issues Identified by the Auditor General has still not been resolved:-

The switch user identification (SUID) and switch group identification (SGID) permissions were still used. If an SUID program were to give users unintended write access, the system would be exposed as the SUID program could be replaced by a program with a different function and be used to gain unrestricted access to root. The use of an SGID bit creates a special program, allowing an otherwise restricted user to access certain files in a predetermined way. (Refer to paragraphs 22 and 23 of the SekChek report.)

22 SUID Permissions.doc - Paragraph 22 of the SekCheck report resides within this document.
23 SGID Permissions.doc - Paragraph 23 of the SekCheck report resides within this document.

Urgent Request:-
Please can you load an emergency change to ensure that the system is in compliance by ensuring that:-

1) Review the list of programs with SGID and SUID Access.
2) Verify if access is applicable.
3) Restrict SGID and SUID Access from programs that do not require this access.

Please come up with best solution for the above and you can find 2 attachments
0 Kudos
9 REPLIES 9
Matti_Kurkela
Honored Contributor

тАО01-20-2009 07:05 AM

тАО01-20-2009 07:05 AM

Re: SUID & SGID

The auditor is trying to make sure that *you*, the sysadmin, understand what each of the listed programs/commands do and that you have verified their permissions are appropriate to *your* environment.

Some SUID/SGID permissions are appropriate and required for the system to work normally. Some are extra conveniences that may be disabled if security is more important than convenience.

For example:
The "sudo" command (/opt/sudo/bin/sudo) requires SUID root permissions. If they are removed, the command cannot perform its primary function and becomes useless.

The "glance" utility (/opt/perf/bin/glance) has SUID root permissions so that users other than root can access full performance statistics on the system. If only the root user is required to use "glance" in your environment, you can remove the SUID permission. If something is (supposed to be) run only by the root user, it generally does not need SUID root permission.

Removing the permissions is easy: "chmod u-s " removes the SUID permission, "chmod g-s removes SGID. The problem is in knowing what to remove and what to leave alone.

Whoever responds to this request *must* have in-depth knowledge about your system and how it is used. As a sysadmin, you *should* have the knowledge and access to the necessary documentation. In this case, Informix documentation would seem to be rather important.

It may be important that you can justify your actions: "HP-UX documentation says this file must have these permissions, and it is designed to have them" is usually an OK answer to an auditor; "We've tested it and this thing does not work without it" is another template for good a answer.

If you're requested to explain why some file should have SUID/SGID permissions, and all you have to say is essentially: "Some guy on the Internet said so", guess what is going to happen?

MK
MK
0 Kudos
unixadmin_1
Frequent Advisor

тАО01-20-2009 07:39 AM

тАО01-20-2009 07:39 AM

Re: SUID & SGID

Thank you very muchhhhhhhhhhhhhh
0 Kudos
OldSchool
Honored Contributor

тАО01-20-2009 08:01 AM

тАО01-20-2009 08:01 AM

Solution

Re: SUID & SGID

basically, the audit identified a number of files that have either the set uid or set gid switches set. as the auditor noted, this is a potential security vunerability.

as noted above, now you need to review the list and determine if those settings are appropriate for each of the indicated programs, and possibly document why (i.e. recommended/required by informix, or whatever).

note that inappropriate changes made to these settings, for example simply removing them w/o checking, can result in non-functional applications.

Note that this question is different from your other post. In the other one, you kept asking "how do I keep some users from ...."

also:
"I have assigned points to 0 of 91 responses to my questions"

nice...



0 Kudos
sujit kumar singh
Honored Contributor

тАО01-20-2009 08:03 AM

тАО01-20-2009 08:03 AM

Re: SUID & SGID

hello unixadmin,


please assign the points to the posts made in response to ur question

assigning points might lead u to get better responses from the teams

please look at the following thread:


See this link for probably a better description than I've given:

http://forums1.itrc.hp.com/service/forums/helptips.do?#33


regards
Sujit
0 Kudos
unixadmin_1
Frequent Advisor

тАО01-20-2009 08:09 AM

тАО01-20-2009 08:09 AM

Re: SUID & SGID

Everything is fine..chmod u-s is it or < user name >...if wrong please forgive me...Thank you
0 Kudos
Patrick Wallek
Honored Contributor

тАО01-20-2009 08:12 AM

тАО01-20-2009 08:12 AM

Re: SUID & SGID

You change the mode (chmod) on FILES not users.

chmod u-s

You should also check the man page for further information.

man chmod
0 Kudos
sujit kumar singh
Honored Contributor

тАО01-20-2009 08:28 AM

тАО01-20-2009 08:28 AM

Re: SUID & SGID

hello Sir,


i did not write any thing fruitful and u assigned points to me .... please also seeing the thread of assigning the points definitely tells how much u got helpled .... and degree regarding how much the post was useful for u ....


Regards
Sujit
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО01-20-2009 02:15 PM

тАО01-20-2009 02:15 PM

Re: SUID & SGID

You have attached a list of files with SETUID and SETGID. If you want to simplify the list, you can check who created the file and assume that any that were created by HP are valid.
First extract only the file paths out of your report and do the following:
1) Put the list of suspect files in a file setuid_list.
2) swlist -l file | grep -f setuid_list


You have currently not assigned points to these threads:
http://forums.itrc.hp.com/service/forums/pageList.do?userId=WW189668&listType=unassigned&forumId=1
0 Kudos
unixadmin_1
Frequent Advisor

тАО02-12-2009 05:03 AM

тАО02-12-2009 05:03 AM

Re: SUID & SGID

Thanks
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.