HPE Community
Operating System - HP-UX
1826398 Members
3495 Online
109692 Solutions
New Discussion

Re: /var/adm/socket/pwgr permissions

 
Donald R. Wedig
Occasional Contributor

‎09-06-2002 01:00 PM

‎09-06-2002 01:00 PM

/var/adm/socket/pwgr permissions

The HP default for this directory is 777. Our security group doesn't allow any 777 directories. We tried 1777, which is allowed. This seemed to work. The problem is: when the system reboots, it changes it back to 777. I believe it is the pwgrd startup causing this change. Can the directory be permanently set to 1777 or 775. We are not using NIS.
Priorities - God, Family, Friends
0 Kudos
Reply
5 REPLIES 5
Rodney Hills
Honored Contributor

‎09-06-2002 01:19 PM

‎09-06-2002 01:19 PM

Re: /var/adm/socket/pwgr permissions

Edit file /etc/rc.config.d/pwgr and set PWGR=0.

This will turn off pwgrd. My guess is when that deamon is launched, it resets the permissions. Then change the permissions on /var/adm/socket/pwgr and it should remain what you set it to.

The drawback is you lose the passwd/group cache that it provides which could slightly impact the performance of your system.

Hope this Helps...

-- Rod Hills
There be dragons...
0 Kudos
Reply
Ted Ellis_2
Honored Contributor

‎09-06-2002 01:26 PM

‎09-06-2002 01:26 PM

Re: /var/adm/socket/pwgr permissions

you could also create a short script that runs after the pwgr in the run level sequencing that resets the 1777 permissions. Make sure it is a clean script and follows the doctrine of the others... and has the same permissions to prevent it being tampered with later. Take a look at any of the normal scripts in /sbin/init.d as a reference point for what you should have... you would only need to start options.... no need to run a Kill option during a shutdown on something like this.
0 Kudos
Reply
Craig Rants
Honored Contributor

‎09-06-2002 01:30 PM

‎09-06-2002 01:30 PM

Re: /var/adm/socket/pwgr permissions

A little background info on this so you can impress your narrow minded security guys

pwgrd is a password and group caching daemon. Since we have a very small password and group file it is unnecessary. Also, a little detective work with lsof and tusc (Trace Unix System Calls) [10] shows us that it listens on a Unix domain socket for client requests, and we don't want to allow command channels like that to processes running as root, so we have additional incentive to disable it:

Set the PWGR environment variable to 0 in /etc/rc.config.d/pwgr:

PWGR=0

We also remove stale sockets which will prevent unnecessary libc socket creation and requests to a nonexistent pwgrd listener:

# rm /var/spool/pwgr/* # really just need to remove status
# rm /var/spool/sockets/pwgr/*

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Donald R. Wedig
Occasional Contributor

‎09-09-2002 11:08 AM

‎09-09-2002 11:08 AM

Re: /var/adm/socket/pwgr permissions

I understand that changing the directory permission after startup or not using the service would work. And I now understand a good reason for not using the service. But why does the pwgrd program require/expects a 777 directory.
Priorities - God, Family, Friends
0 Kudos
Reply
Ray Brewer
Valued Contributor

‎09-09-2002 12:30 PM

‎09-09-2002 12:30 PM

Re: /var/adm/socket/pwgr permissions

777 is required for this directory because all users need to be able to read and write to the directory and the execute is to allow them directory access. I agree with the others disable it. We have done so and it has had virtually no effect.

Ray
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.