- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- SUID & SGID
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-20-2009 05:35 AM
тАО01-20-2009 05:35 AM
I want to start in new thread..I had gone through lot of answers which where not working really Please read this carefully...Please find the attached documents send already
Deviation:-
The following Audit Issues Identified by the Auditor General has still not been resolved:-
The switch user identification (SUID) and switch group identification (SGID) permissions were still used. If an SUID program were to give users unintended write access, the system would be exposed as the SUID program could be replaced by a program with a different function and be used to gain unrestricted access to root. The use of an SGID bit creates a special program, allowing an otherwise restricted user to access certain files in a predetermined way. (Refer to paragraphs 22 and 23 of the SekChek report.)
22 SUID Permissions.doc - Paragraph 22 of the SekCheck report resides within this document.
23 SGID Permissions.doc - Paragraph 23 of the SekCheck report resides within this document.
Urgent Request:-
Please can you load an emergency change to ensure that the system is in compliance by ensuring that:-
1) Review the list of programs with SGID and SUID Access.
2) Verify if access is applicable.
3) Restrict SGID and SUID Access from programs that do not require this access.
Please come up with best solution for the above and you can find 2 attachments
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-20-2009 07:05 AM
тАО01-20-2009 07:05 AM
Re: SUID & SGID
Some SUID/SGID permissions are appropriate and required for the system to work normally. Some are extra conveniences that may be disabled if security is more important than convenience.
For example:
The "sudo" command (/opt/sudo/bin/sudo) requires SUID root permissions. If they are removed, the command cannot perform its primary function and becomes useless.
The "glance" utility (/opt/perf/bin/glance) has SUID root permissions so that users other than root can access full performance statistics on the system. If only the root user is required to use "glance" in your environment, you can remove the SUID permission. If something is (supposed to be) run only by the root user, it generally does not need SUID root permission.
Removing the permissions is easy: "chmod u-s
Whoever responds to this request *must* have in-depth knowledge about your system and how it is used. As a sysadmin, you *should* have the knowledge and access to the necessary documentation. In this case, Informix documentation would seem to be rather important.
It may be important that you can justify your actions: "HP-UX documentation says this file must have these permissions, and it is designed to have them" is usually an OK answer to an auditor; "We've tested it and this thing does not work without it" is another template for good a answer.
If you're requested to explain why some file should have SUID/SGID permissions, and all you have to say is essentially: "Some guy on the Internet said so", guess what is going to happen?
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-20-2009 07:39 AM
тАО01-20-2009 07:39 AM
Re: SUID & SGID
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-20-2009 08:01 AM
тАО01-20-2009 08:01 AM
Solutionas noted above, now you need to review the list and determine if those settings are appropriate for each of the indicated programs, and possibly document why (i.e. recommended/required by informix, or whatever).
note that inappropriate changes made to these settings, for example simply removing them w/o checking, can result in non-functional applications.
Note that this question is different from your other post. In the other one, you kept asking "how do I keep some users from ...."
also:
"I have assigned points to 0 of 91 responses to my questions"
nice...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-20-2009 08:03 AM
тАО01-20-2009 08:03 AM
Re: SUID & SGID
please assign the points to the posts made in response to ur question
assigning points might lead u to get better responses from the teams
please look at the following thread:
See this link for probably a better description than I've given:
http://forums1.itrc.hp.com/service/forums/helptips.do?#33
regards
Sujit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-20-2009 08:09 AM
тАО01-20-2009 08:09 AM
Re: SUID & SGID
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-20-2009 08:12 AM
тАО01-20-2009 08:12 AM
Re: SUID & SGID
chmod u-s
You should also check the man page for further information.
man chmod
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-20-2009 08:28 AM
тАО01-20-2009 08:28 AM
Re: SUID & SGID
i did not write any thing fruitful and u assigned points to me .... please also seeing the thread of assigning the points definitely tells how much u got helpled .... and degree regarding how much the post was useful for u ....
Regards
Sujit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-20-2009 02:15 PM
тАО01-20-2009 02:15 PM
Re: SUID & SGID
First extract only the file paths out of your report and do the following:
1) Put the list of suspect files in a file setuid_list.
2) swlist -l file | grep -f setuid_list
You have currently not assigned points to these threads:
http://forums.itrc.hp.com/service/forums/pageList.do?userId=WW189668&listType=unassigned&forumId=1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-12-2009 05:03 AM
тАО02-12-2009 05:03 AM