secure_sid_scripts(5) secure_sid_scripts(5)
Tunable Kernel Parameters
NAME [Toc] [Back]
secure_sid_scripts - controls whether setuid and setgid bits on
scripts are honored
VALUES [Toc] [Back]
Failsafe
0
Default [Toc] [Back]
1
Allowed values [Toc] [Back]
0-1
Recommended values [Toc] [Back]
0-1
DESCRIPTION [Toc] [Back]
This tunable controls whether setuid and setgid bits on executable
scripts have any effect. Honoring set*id on scripts make a system
vulnerable to attack by malicious users.
The default value for this variable is 1, indicating that set*id bits
are to be ignored by the execve(2) system call for higher security.
The tunable can be set to 0 for a compatibility with older releases at
the expense of security. Hewlett-Packard strongly recommends that you
not change the value of this tunable unless there is an urgent need to
do so.
When a script with set*id bits is executed, the kernel generates the
following error message to both the terminal controlling and the
system log. (To view the error message, use dmesg(1M) or inspect
/var/adm/syslog/syslog.log.)
Warning: Ignoring set*id bit on program_name as the tunable
secure_sid_scripts is set.
Who is Expected to Change This Tunable?
Administrator.
Restrictions on Changing [Toc] [Back]
Changes to this tunable take effect for new scripts started after the
change.
When Should the Value of This Tunable Be Changed?
This tunable controls operational modes rather than data structure
sizes and limits. The appropriate setting for a system depends on
whether you consider security or compatibility to be most important.
A value of 0 is compatible with previous releases of HP-UX, but it is
also less secure.
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: Sep 2004
secure_sid_scripts(5) secure_sid_scripts(5)
Tunable Kernel Parameters
A value of 1 provides security against race condition attacks
exploiting set*id scripts.
What Are the Side Effects of Changing the Value [Toc] [Back]
This tunable controls only executable scripts (not programs) with
set*id bit set. HP-UX does not ship with any such scripts. If the
customer wishes to use set*id scripts, third party applications such
as suidperl or sudo can be used. Alternatively, the shell script can
be wrapped in a simple C program that runs the shell script with
appropriate permissions:
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#define SETUID_SCRIPT "/usr/local/bin/cdeject"
int main(int argc, char *const argv[])
{
if (strcmp(argv[1], SETUID_SCRIPT) == 0) {
execv(argv[1], argv+1);
perror(argv[0]);
} else {
fprintf(stderr, "%s is not a known setuid script\n",
argv[1] ? argv[1] : "unspecified-script" );
}
exit(1);
}
What Other Tunable Values Should Be Changed at the Same Time?
None.
WARNINGS [Toc] [Back]
None. All HP-UX kernel tunable parameters are release specific. This
parameter may be removed or have its meaning changed in future
releases of HP-UX.
Installation of optional kernel software, from HP or other vendors,
may cause changes to tunable parameter values. After installation,
some tunable parameters may no longer be at the default or recommended
values. For information about the effects of installation on tunable
values, consult the documentation for the kernel software being
installed. For information about optional kernel software that was
factory installed on your system, see HP-UX Release Notes at
http://docs.hp.com.
FILES [Toc] [Back]
/var/adm/syslog/syslog.log
AUTHOR [Toc] [Back]
secure_sid_scripts was developed by HP.
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: Sep 2004
secure_sid_scripts(5) secure_sid_scripts(5)
Tunable Kernel Parameters
SEE ALSO [Toc] [Back]
chmod(1), execve(2), kctune(1M).
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: Sep 2004 [ Back ] |
