SUID and SGUID (247 Views)
Reply
Occasional Advisor
Jilan
Posts: 10
Registered: ‎07-12-2007
Message 1 of 4 (247 Views)

SUID and SGUID

Dear Gurus,

 

Currently I am  implementing security controls on Unix servers, from ISO 27001 Aduit report once of control says  unauthorized set-UID or set-GID applications do not exist on the system.

 

using the script I mange to list all the files which has SUID and SGID permissions.  I am not sure what will the effect or impact on the system if I remove those permissions? could you please advice from the below files or or reffer to attached files and advice which files will be safe to remove suid or sgid permissions. 

 

 

-r-s------ root sys /opt/omni/lbin/inet

-r-sr-xr-x root bin /opt/perf/bin/glance

-r-sr-xr-x root bin /opt/perf/bin/xglance

-r-sr-xr-x root bin /opt/prm/bin/prmmove

-r-sr-xr-x root bin /opt/prm/bin/prmrun

-rwsr-xr-x root bin /opt/ssh/libexec/ssh-keysign

-r-sr-xr-x root bin /usr/bin/at

-r-sr-xr-x root bin /usr/bin/bdf

-r-sr-xr-x root bin /usr/bin/chfn

-r-sr-xr-x root bin /usr/bin/chsh

-r-sr-xr-x root bin /usr/bin/crontab

-r-sr-xr-x root bin /usr/bin/df

-r-sr-xr-x root bin /usr/bin/login

-r-sr-sr-x root mail /usr/bin/mail

-r-sr-xr-x root bin /usr/bin/mediainit

-r-xr-sr-x bin sys /usr/bin/netstat

-r-sr-xr-x root bin /usr/bin/newgrp

-r-sr-xr-x root bin /usr/bin/nfsstat

-r-sr-xr-x root bin /usr/bin/passwd

-r-sr-xr-x root sys /usr/bin/privrun

-r-sr-xr-x root bin /usr/bin/rcp

-r-sr-xr-x root bin /usr/bin/remsh

-r-sr-sr-x root mail /usr/bin/rmail

-r-sr-xr-x root bin /usr/bin/su

-r-sr-xr-x root bin /usr/bin/yppasswd

-r-sr-sr-x root bin /usr/lbin/chgpt

-r-xr-sr-x bin sys /usr/lbin/fs/hfs/diskusg

-r-xr-sr-x bin sys /usr/lbin/fs/vxfs/diskusg

-r-xr-sr-x bin sys /usr/lbin/fs/vxfs5.0/diskusg

-r-sr-xr-x daemon bin /usr/lbin/grmd

-r-sr-xr-- root lp /usr/lbin/netlp.asx

-r-sr-xr-x root bin /usr/lbin/protect_pty

-r-xr-sr-x bin mail /usr/lbin/rmmail

-r-sr-xr-x root bin /usr/lbin/rwrite

-r-sr-xr-x uucp bin /usr/lbin/uucp/uucico

-r-sr-xr-x uucp bin /usr/lbin/uucp/uuclean

-r-sr-xr-x uucp bin /usr/lbin/uucp/uusched

-r-sr-xr-x uucp bin /usr/lbin/uucp/uusub

-r-sr-xr-x uucp bin /usr/lbin/uucp/uuxqt

-r-sr-xr-x lp bin /usr/sbin/accept

-r-sr-xr-x root bin /usr/sbin/acct/accton

-r-sr-xr-x root bin /usr/sbin/arp

-r-sr-xr-x root sys /usr/sbin/authadm

-r-sr-xr-x root sys /usr/sbin/cmdprivadm

-rwsr-sr-x root sys /usr/sbin/dad

-r-sr-xr-x root bin /usr/sbin/keyenvoy

-r-xr-sr-x root sys /usr/sbin/lanscan

-r-sr-xr-x root bin /usr/sbin/lpadmin

-r-sr-xr-x lp bin /usr/sbin/lpfence

-r-sr-xr-x lp bin /usr/sbin/lpmove

-r-sr-xr-x root bin /usr/sbin/lpsched

-r-sr-xr-x lp bin /usr/sbin/lpshut

-r-sr-xr-x root sys /usr/sbin/lvm_wrapper

-r-sr-xr-x root sys /usr/sbin/lvmcmd

-r-sr-xr-x root sys /usr/sbin/lvmpcmd

.......

......

......

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_38682/LP2-SPOOL/usr/sbin/rlpdaemon

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_38682/LP2-SPOOL/usr/sbin/rlpstat

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_39365/UX2-CORE/usr/bin/login

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_39367/UX2-CORE/usr/bin/passwd

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_39418/SYS2-ADMIN/usr/bin/mediainit

-r-sr-xr-x root bin /var/adm/sw/save/PHCO_39690/UX2-CORE/sbin/shutdown

 ........

 

 

Regards

Jilan

Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,894
Registered: ‎03-06-2006
Message 2 of 4 (238 Views)

Re: SUID and SGUID

>advice which files will be safe to remove suid or sgid permissions.

 

Just about none of them are safe to remove, these are needed for proper system operation and so are authorized.

And these programs will no longer work for normal users if SUID root is removed.

 

If you need to prove they belong to HP-UX can do the following:

1) Put the list of files in a file, one per line

2) swlist -l file | grep -f the-file-list

 

Any file  not showing up would be suspicious.

You could also do a "swverify \*" to make sure all files have the correct permission and checksum.

Please use plain text.
Occasional Advisor
Jilan
Posts: 10
Registered: ‎07-12-2007
Message 3 of 4 (229 Views)

Re: SUID and SGUID

Dennis, Thanks for the informatio. I just tried your suggestion and found good information.

 

i copied files one after another generated by the script and in one file and names as suid.txt and executed #swlist -l file | grep -f suid.txt it doesnot show anything ended up # prompt

 

later on i tried to execute swverify /* and ran the swjob and found permision issue for some folders....

 

just curious know what would be impact If i remove the suid permission to /var/adm/sw/save/PHXX_XXXX files? as I know the patches has been applied already to the server?

 

 

 

Regards

Jilan

Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,894
Registered: ‎03-06-2006
Message 4 of 4 (223 Views)

Re: SUID and SGUID

>it does not show anything ended up # prompt

 

Make sure there are no leading trailing blanks/tabs in suid.txt.  bin/bdf should be there.

 

>swlist -l file | ...

 

If you are going to do this several times, you should save the swlist output in a file.

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation