HPE Community
Operating System - HP-UX
1832577 Members
3273 Online
110043 Solutions
New Discussion

Re: User sercurity issue

 
SOLVED
Go to solution
Hoang Chi Cong_1
Honored Contributor

‎12-26-2005 06:39 PM

‎12-26-2005 06:39 PM

User sercurity issue

Hi all,
I have a question, seems tradition question but I don't how to solve it now....

The question is:
I want prevent unauthorize user's permission.
For example:
There are 20 users in my system: user1, user2...user20.
Each user belong to a group. for example: group1, group 2...group20.

So how to prevent unauthorize access between these user?( delete file, change owner, change file content, remove file, remove dir....etc......?
In my system, event the user A in group operator still can delete or do any operation with files and directorys that own by user B in group dba.
I'am really stuck...
Please helps

Thanks in advance.
Hoang Chi Cong
Looking for a special chance.......
0 Kudos
22 REPLIES 22
RAC_1
Honored Contributor

‎12-26-2005 06:46 PM

‎12-26-2005 06:46 PM

Re: User sercurity issue

Set the sticky bit on the dirs.
chmod 1777 /dir_user1 and so on.
There is no substitute to HARDWORK
0 Kudos
Arunvijai_4
Honored Contributor

‎12-26-2005 06:50 PM

‎12-26-2005 06:50 PM

Re: User sercurity issue

1) Setting up umask such that, all files and dirs have only read permission for others.

2) Sticky bit to directories.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Raj D.
Honored Contributor

‎12-26-2005 06:53 PM

‎12-26-2005 06:53 PM

Re: User sercurity issue

Hi Cong ,

To restict other group memebers not to access/delete the files , you can set permission also , remove from the group & other field.

-rwxr--r-- : Read only/not writable for group and others.
-rwx------ : No Read no write for group and others.

Check also the ownership and group membership on those file(s)/dir(s).


Cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Raj D.
Honored Contributor

‎12-26-2005 07:00 PM

‎12-26-2005 07:00 PM

Re: User sercurity issue

Hi Cong(agian),

you can also check this link to get an idea about understanding unix permissions:


Understanding UNIX permissions :


1. http://www.zzee.com/solutions/unix-permissions.shtml

2. http://www.perlfect.com/articles/chmod.shtml


3. http://www.library.yale.edu/~lso/workstation/docs/permissions/

Hope this helps,

hth,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Hoang Chi Cong_1
Honored Contributor

‎12-26-2005 07:32 PM

‎12-26-2005 07:32 PM

Re: User sercurity issue

Thanks all,

To RAC: I don't like to set the sticky bit because it may dangerous...HP-UX just C2 security level :( (Just in trusted mode) but my server doens't run in trusted mode.

To Arunvijai: How to set the umask?

Each user has a big number of files and directorys.

To Raj D. :
I have tried this solution before but nothing change! The other user still can delete the file that not own!

Any idea?

Hoang Chi Cong
Looking for a special chance.......
0 Kudos
Raj D.
Honored Contributor

‎12-26-2005 07:40 PM

‎12-26-2005 07:40 PM

Re: User sercurity issue

Hi Cong ,

If other users still able to delete the files after setting he proper permission , seems some problem. Have you set any other permission like acl. You can check # lsacl filename


You can again check with chmod .

You can remove existing permission from dir(s) and file(s) using chmod and give a try:

# chmod go-rwx file_name
(also check the files owner and group membership)
# try deleting and check.

You can check the users primary and other group membership using # id username.


cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Hoang Chi Cong_1
Honored Contributor

‎12-26-2005 07:52 PM

‎12-26-2005 07:52 PM

Re: User sercurity issue

Hi

Here is output when I make a example follow your hint:

<>ll
total 200
-rwx------ 1 osst dba 49208 May 12 2005 UBBCONFIG.050511
-rwx------ 1 osst dba 49208 Dec 27 15:46 tmp.txt
<>id
uid=103(osst) gid=102(dba)

<>lsacl tmp.txt
lsacl: file "tmp.txt": Function is not available (errno = 251)

-------------------------------------

<>id
uid=105(kibs) gid=103(opr)
<>ll
total 200
-rwx------ 1 osst dba 49208 May 12 2005 UBBCONFIG.050511
-rwx------ 1 osst dba 49208 Dec 27 15:46 tmp.txt
<>rm -f tmp.txt
<> --->can delete!



Thanks
Hoang Chi Cong
Looking for a special chance.......
0 Kudos
Arunvijai_4
Honored Contributor

‎12-26-2005 07:54 PM

‎12-26-2005 07:54 PM

Re: User sercurity issue

Hello,

You can just set umask to every user in their profile by editing .profile
umask=022 (default)

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Hoang Chi Cong_1
Honored Contributor

‎12-26-2005 08:04 PM

‎12-26-2005 08:04 PM

Re: User sercurity issue

Hi Arunvijai

I have just done.
Very strange: nothing change even add umask=022 in .profile file :(:(
Looking for a special chance.......
0 Kudos
Raj D.
Honored Contributor

‎12-26-2005 08:05 PM

‎12-26-2005 08:05 PM

Re: User sercurity issue

Hi Cong,
Looks strange though , Can you also check user osst is member of which groups.
Also if u create a new file , what permission it gets by default.

hth,
Raj.


" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Hoang Chi Cong_1
Honored Contributor

‎12-26-2005 08:15 PM

‎12-26-2005 08:15 PM

Re: User sercurity issue

Hi

The osst user is member of "dba" group only. The kibs user is memner of "opr" group only.

When I create a new file, the permission is 666:
-rw-rw-rw- 1 osst dba 75 Dec 27 16:12 newfile.txt

Thanks again
Looking for a special chance.......
0 Kudos
Arunvijai_4
Honored Contributor

‎12-26-2005 08:20 PM

‎12-26-2005 08:20 PM

Re: User sercurity issue

Hi Cong, When you have 666 permission, anyone can delete it. You need to set the umask to appropriate value. Check # man umask for more details.
UMASK Values
============
0400 ( a=rwx,u-r) Read by owner
0200 ( a=rwx,u-w) Write by owner
0100 ( a=rwx,u-x) Execute (search in directory) by owner
0040 ( a=rwx,g-r) Read by group
0020 ( a=rwx,g-w) Write by group
0010 ( a=rwx,g-x) Execute/search by group
0004 ( a=rwx,o-r) Read by others
0002 ( a=rwx,o-w) Write by others
0001 ( a=rwx,o-x) Execute/search by others

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Arunvijai_4
Honored Contributor

‎12-26-2005 08:23 PM

‎12-26-2005 08:23 PM

Re: User sercurity issue

A very good link about umask,

http://www.unix.org.ua/orelly/networking/puis/ch05_03.htm

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Raj D.
Honored Contributor

‎12-26-2005 08:23 PM

‎12-26-2005 08:23 PM

Re: User sercurity issue

Cong,

Well ,

The id shows that the user is kibs and kibs is member of group "opr" group only.

But when you created a new file see the ownership of the file becomes ostt and group becomes dba.

"When I create a new file, the permission is 666:
-rw-rw-rw- 1 osst dba 75 Dec 27 16:12 newfile.txt "

Hence you are able to delete the files owning by ostt , and group dba.



check who else are member of opr group.
# cat /etc/group | egrep -i '(opr|dba)'

Also check # who am i , from logging from kibs.

Seems there is some group & membership issues,

hth,
Raj.

" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Hoang Chi Cong_1
Honored Contributor

‎12-26-2005 08:30 PM

‎12-26-2005 08:30 PM

Re: User sercurity issue

sorry for my bad explain!

That file was creare under osst user right!
- Fisrt, login with osst user then create the newfile.txt
- Then I change the file's permission from 666 to 700.
- Login with kibs user and try to delete this file----> can delete it!
Looking for a special chance.......
0 Kudos
Hoang Chi Cong_1
Honored Contributor

‎12-26-2005 08:37 PM

‎12-26-2005 08:37 PM

Re: User sercurity issue



<>cat /etc/group | egrep -i '(opr|dba)'
dba::102:
opr::103:



------


<>who am i
kibs pts/tc Dec 27 16:34


Please helps
Looking for a special chance.......
0 Kudos
Raj D.
Honored Contributor

‎12-26-2005 09:05 PM

‎12-26-2005 09:05 PM

Re: User sercurity issue

Cong,

well groups looks good.

When you are creating a file from the user: kibs , whats the permission are u getting.

Login; kibs
pw: **

# touch abc
# ls -l abc

hth,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Raj D.
Honored Contributor

‎12-26-2005 09:06 PM

‎12-26-2005 09:06 PM

Re: User sercurity issue

Cong,

well groups looks good.

When you are creating a file from the user: kibs , whats the permission are u getting.

Login; kibs
pw: **

$ touch abc
$ ls -l abc
(it should be $, nor # as its a normal user)

hth,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
RAC_1
Honored Contributor

‎12-26-2005 09:07 PM

‎12-26-2005 09:07 PM

Solution

Re: User sercurity issue

you are missing one important point here. the ability to delete a file does not have anything to do with perms of a file. It depends upon the perms of the directory under which that file lies. so if user has write perms to directory, he can delete files under that directory whether he has write perms to file or not.
There is no substitute to HARDWORK
0 Kudos
Raj D.
Honored Contributor

‎12-26-2005 09:13 PM

‎12-26-2005 09:13 PM

Re: User sercurity issue

Cong ,
Above from RAC is corrct. Check the permission and ownership of the parrent directories.

$ cd /
$ ls -l | grep ostt


$ cd ostt
$ ls -l | grep tmp

hth,
Raj

" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Hoang Chi Cong_1
Honored Contributor

‎12-27-2005 12:01 PM

‎12-27-2005 12:01 PM

Re: User sercurity issue

Wao......

I forgot an importance thing, did I?

Thank you Raj D., Arunvijai and special thanks for RAC...
You are right!

That is my careless...

Happy new year and best wishes for you!
Looking for a special chance.......
0 Kudos
Hoang Chi Cong_1
Honored Contributor

‎12-27-2005 12:08 PM

‎12-27-2005 12:08 PM

Re: User sercurity issue

Thread closed!
Looking for a special chance.......
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.