HPE Community
Operating System - HP-UX
1849061 Members
6774 Online
104041 Solutions
New Discussion

World writable files after default HP-UX 11.11 install

 
Sonny_8
Occasional Advisor

‎01-30-2003 02:24 AM

‎01-30-2003 02:24 AM

World writable files after default HP-UX 11.11 install

Hi All,
Is there any OS files that needs (really mandatory!) to be world writable in the unix system after a "default" installation?

This is a security-related question. Indeed, if some files NEEDS to be world writable then how to prevent any user to modify this/these file(s) and impact the system.

Thanks in advance for your help,
Regards,
Nicolas
Timezone id
0 Kudos
Reply
6 REPLIES 6
James R. Ferguson
Acclaimed Contributor

‎01-30-2003 02:38 AM

‎01-30-2003 02:38 AM

Re: World writable files after default HP-UX 11.11 install

Hi Nicolas:

Certainly one thing you can/should tighten immediately is the ability for anyone to delete files from the '/tmp', '/var/tmp', and 'usr/local' directories regardless of whether or not they are the owner.

To correct this, set the sticky bit on the directory. This will prevent a file's non-owner from deleting it, while allowing anyone write access to the directory and the ability for the file's owner to delete.

By example:

# chmod 1777 /tmp

Regards!

...JRF...
0 Kudos
Reply
Sonny_8
Occasional Advisor

‎01-30-2003 03:01 AM

‎01-30-2003 03:01 AM

Re: World writable files after default HP-UX 11.11 install

Thanks for this advice JRF,
Will do that.
Rgds,
Nicolas
Timezone id
0 Kudos
Reply
F. X. de Montgolfier
Valued Contributor

‎01-30-2003 05:14 AM

‎01-30-2003 05:14 AM

Re: World writable files after default HP-UX 11.11 install

Hi Nicolas,

you might want to read http://people.hp.se/stevesk/bastion11.html,
which explains how to "build a bastion host using HP-UX 11", and especially its chapter 9: "file permissions".

Basically, what they do is remove write permissions systemwide, then:
# chmod 1777 /tmp /var/tmp /var/preserve
# chmod 666 /dev/null

Notice the use of the sticky bit for the public directories...

Cheers,

FiX


0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-30-2003 05:43 AM

‎01-30-2003 05:43 AM

Re: World writable files after default HP-UX 11.11 install

You would probably benefit from using the Bastille tool

It lets you know what's world writeable and really should not be. security_patch_check also does a cursory analysis.

Here are links.

Bastille

https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6849AA&date=

security_patch_check

https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6834AA&date=

If you are really into security you should consider running crack against your password file in a test environment(ftp it in) and the saint system probe utility.

This toolset will really help you lock things down.

P
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-30-2003 10:58 AM

‎01-30-2003 10:58 AM

Re: World writable files after default HP-UX 11.11 install

World writable files? Probably none in the OS files. World writable directories: yes but with caveats: /var/tmp and /tmp need to be world writable but I would set the sticky bit as in chmod 1777 /tmp so that only owners of files can remove or rename them. Without this bit, anyone can remove or rename any file in that directory.

Additionally, all standard HP-UX installs have bad permissions on /usr/local directories. Warnings to this effect are contained in several places but the default install still leaves /usr/local directories as 777. They MUST be changed to 755 on every machine.

If you install any of the OpenView products such as node manager, then there will be a massive number of wide open directories and files in places like /etc...these will have to be fixed to prevent problems in the future.


Bill Hassell, sysadmin
0 Kudos
Reply
Nicolas Moulin_1
Occasional Advisor

‎02-12-2003 08:23 PM

‎02-12-2003 08:23 PM

Re: World writable files after default HP-UX 11.11 install

Hi,

Well thanks a lot to all of you who have responded to my question. I really appreciate your support.

Each information that you have provided has been very useful to me (ie. doc "build a bastion host using HP-UX 11", Security_patch_Check and Bastille, etc..)

No doubt it could certainly help other people as well.

This is really a great forum and community.

Regards,
Nicolas
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.