HPE Community
Operating System - HP-UX
1827293 Members
3419 Online
109717 Solutions
New Discussion

SUID, SGID & Permission Issue on HPUX 11.31

 
SOLVED
Go to solution
shameemsoft
Frequent Advisor

‎12-12-2009 11:31 PM

‎12-12-2009 11:31 PM

SUID, SGID & Permission Issue on HPUX 11.31

Dear,

I have removed SUID on below files.

/usr/sbin/swacl
/usr/sbin/swcopy
/usr/sbin/swinstall
/usr/sbin/swlist
/usr/sbin/swmodify
/usr/sbin/swreg
/usr/sbin/swremove
/usr/sbin/swverify

I have removed SGID on below file

/usr/bin/netstat

I have changed /var/adm/syslog/syslog permission from 644 to 600

As per our CIT policy, i have done this changes on all our servers.

But after sometime, it is changed to old setting automatically and it is happening only for few servers(not all our servers). Thats why i am confusing about this changes.

How to resolve this issue. Kindly help me on this.

Thanks In Advance
Shameem
0 Kudos
Reply
8 REPLIES 8
Dennis Handly
Acclaimed Contributor

‎12-12-2009 11:59 PM

‎12-12-2009 11:59 PM

Solution

Re: SUID, SGID & Permission Issue on HPUX 11.31

>I have removed SUID on below files

Why? These already protect themselves from unauthorized users. And if you don't want swlist working for ordinary users, you can configure that too.

>it is changed to old setting automatically

"swmodify -F" will detect you fiddled with the correct permissions and restore them. Was that used?
Reply
shameemsoft
Frequent Advisor

‎12-13-2009 12:16 AM

‎12-13-2009 12:16 AM

Re: SUID, SGID & Permission Issue on HPUX 11.31

Dear Dennis,

Thanks for your response.

>>Why? These already protect themselves from unauthorized users. And if you don't want swlist working for ordinary users, you can configure that too.

As per the CIT policy in our organization, this changes needs to be done.

is there any issue will occur due to this changes.

>>"swmodify -F" will detect you fiddled with the correct permissions and restore them. Was that used?

we were not using this command after done this changes.

Still it is changing to old setting.

Kindly help me on this.

Thanks
Shameem
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎12-13-2009 03:08 AM

‎12-13-2009 03:08 AM

Re: SUID, SGID & Permission Issue on HPUX 11.31

>As per the CIT policy in our organization, this changes needs to be done.

Does your policy allow for exceptions based on vendor configurations/recommendations?

>is there any issue will occur due to this changes.

Normal users can't use those commands.

>we were not using this command after done this changes. Still it is changing to old setting.

Then a sysadmin must be changing it manually.

You could use "ll -c /usr/sbin/swlist" to see the time of last inode changes.
Be aware there are 11+ hardlinks to the same sw* program.
Reply
shameemsoft
Frequent Advisor

‎12-13-2009 04:53 AM

‎12-13-2009 04:53 AM

Re: SUID, SGID & Permission Issue on HPUX 11.31

Dear Dennis,

Thanks for your response.

>>Does your policy allow for exceptions based on vendor configurations/recommendations?

It is possible based on vendor recommendation. We dont want to use this command by normal users.

I found /var/adm/syslog/syslog.log file permission changed from 600 to 644 automatically after reboot the server. is it related with any ACL? How to resolve this issue? &

Could you provide the hardlink details of sw*?

Thanks & Regards
Shameem
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎12-13-2009 05:35 AM

‎12-13-2009 05:35 AM

Re: SUID, SGID & Permission Issue on HPUX 11.31

>It is possible based on vendor recommendation. >We don't want to use this command by normal users.

Then you should leave the permissions alone and look into swacl to prevent users from using the commands.

>I found /var/adm/syslog/syslog.log file permission changed from 600 to 644 automatically after reboot the server. is it related with any ACL? How to resolve this issue?

Since the file is recreated at each reboot, the default permissions apply. I'm not sure if they come from the umask default or some configuration?

>Could you provide the hardlink details of sw*?

ll -i /usr/sbin/sw*
Then look for all files with the same inode.
Reply
shameemsoft
Frequent Advisor

‎12-13-2009 09:52 PM

‎12-13-2009 09:52 PM

Re: SUID, SGID & Permission Issue on HPUX 11.31

Dear Dennis,

I found that /var/adm/syslog/syslog.log file permission is changed due to UMASK configuration in syslog startup script(/sbin/rc2.d/S546syslog-ng). It is 022.

Is it advisable to change it ot 077 to achive our task?

Thanks & Regards
Shameem

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎12-13-2009 10:29 PM

‎12-13-2009 10:29 PM

Re: SUID, SGID & Permission Issue on HPUX 11.31

>Is it advisable to change it to 077 to achieve our task?

Yes, that seems like the correct minimal change to make it permanent.
Reply
shameemsoft
Frequent Advisor

‎12-14-2009 10:42 PM

‎12-14-2009 10:42 PM

Re: SUID, SGID & Permission Issue on HPUX 11.31

Dear Dennis,

Thanks a lot. It is working for syslog.log file.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.