- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: SUID bit enaled on the filesystem
Operating System - HP-UX
1819850
Members
2742
Online
109607
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-06-2007 07:20 AM
тАО03-06-2007 07:20 AM
SUID bit enaled on the filesystem
Hi All,
What is the pros/cons of setting the SUID bit on a filesystem? Appricaite your comments.
Thanks
kesh
What is the pros/cons of setting the SUID bit on a filesystem? Appricaite your comments.
Thanks
kesh
be good and do good
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-06-2007 07:28 AM
тАО03-06-2007 07:28 AM
Re: SUID bit enaled on the filesystem
Shalom,
Pro: It will make it much easier to hack your system. No. That's a con.
Con: It will enable you to create security hazards, eg programs with root privileges that can be used to hack your system.
It will make you fail your next security audit.
It would be helpful to know why you are asking this question.
SEP
Pro: It will make it much easier to hack your system. No. That's a con.
Con: It will enable you to create security hazards, eg programs with root privileges that can be used to hack your system.
It will make you fail your next security audit.
It would be helpful to know why you are asking this question.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-06-2007 07:31 AM
тАО03-06-2007 07:31 AM
Re: SUID bit enaled on the filesystem
Do you mean you want to add the suid option to the mount command or that you want to set the suid bit on the directory that the filesystem mounts?
If you mean as a mount option it will allow files with the suid bit set to run suid. But if you mean you want to suid a directory. Then when a file is created in the directory the file would have the same owner as the SUID directory, regardless of who creates the file.
If you mean as a mount option it will allow files with the suid bit set to run suid. But if you mean you want to suid a directory. Then when a file is created in the directory the file would have the same owner as the SUID directory, regardless of who creates the file.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-06-2007 07:42 AM
тАО03-06-2007 07:42 AM
Re: SUID bit enaled on the filesystem
There is no SUID bit on a filesystem rather it is a mount option (typically -o suid or -o nosuid) to allow or not allow the setuid bit on files to function. While it may appear to be a good idea to disable setuid programs, be very careful. For example, if setuid is not allowed on /usr then you just broke the passwd command when used by ordinary users. Similarly, if you disabled setuid execution you would break sudo --- which is used as a secure tool.
As a general rule, I'm not opposed to setuid programs but setuid scripts are a dangerous security hole and should never be allowed.
Rather than setting the nosuid mount option, it typically makes more sense to have a daemon run periodically and look for any setuid/setgid files and compare via cksum to known, safe versions. After a system setup, I typically create a database that has the time of last modication, owner, group, and mode of each setuid/program and then periodically compare my system to the values in the database.
As a general rule, I'm not opposed to setuid programs but setuid scripts are a dangerous security hole and should never be allowed.
Rather than setting the nosuid mount option, it typically makes more sense to have a daemon run periodically and look for any setuid/setgid files and compare via cksum to known, safe versions. After a system setup, I typically create a database that has the time of last modication, owner, group, and mode of each setuid/program and then periodically compare my system to the values in the database.
If it ain't broke, I can fix that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-06-2007 08:43 AM
тАО03-06-2007 08:43 AM
Re: SUID bit enaled on the filesystem
In /etc/fstab, the default is to enable SUID programs and scripts to run. However, it is a VERY good idea to disable SUID for user-writable directories such as /var /tmp and /home. DO NOT EVER add nosuid to OS filesystems such as /opt, /usr and /.
Bill Hassell, sysadmin
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-06-2007 09:07 AM
тАО03-06-2007 09:07 AM
Re: SUID bit enaled on the filesystem
I know you might have gathered enough from the above posts to decide for yourself.
Sometimes SETUID is a necessity for certain applications. One example could be Oracle, which will not start if the SETUID is not set/allowed on its oracle binary file.
It is best to evaluate the setting on a case by case basis. You may need to leave it at the defaul in certain cases as discussed above.
Sometimes SETUID is a necessity for certain applications. One example could be Oracle, which will not start if the SETUID is not set/allowed on its oracle binary file.
It is best to evaluate the setting on a case by case basis. You may need to leave it at the defaul in certain cases as discussed above.
Learn What to do ,How to do and more importantly When to do ?
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP