From: Butcher, William (Bill.Butcher) (Bill.Butcher@ChevronTexaco.com)
Date: Mon Sep 09 2002 - 11:36:47 EDT
Thank you to the following folks and their comments regarding my question
regarding umask reporting:
Bill Thompson
Bill Hassell
Doug Wyatt
Hubert Partl
Amit Kumar
I'm going to take Bill Hassell's advice and simply force users to umask 022
in /etc/profile.
Replies are listed below (listed in chronological order as I received them):
----------------------------------------------------------------------------
-------
Reply from Bill Thompson:
Bill,
Unfortunately there is no accurate way to report what a user's umask is,
only what is "should" be because it's too easy for a user to change the
umask. They could be manually entering the command or manually sourcing a
file which sets the umask.
Logging in as the user and issuing the umask command is probably best way to
see what the umask should be.
Most flavors of UNIX no longer allow suid scripts, only binaries which is
why your script is failing. Take a look at sudo. It will allow you to run a
script as root. It's a great tool for parsing out limited root access.
Bill Thompson
Sr UNIX Systems Administrator
The Goodyear Tire & Rubber Company
----------------------------------------------------------------------------
-------
Reply from Bill Hassell:
Hi,
Save yourself a *LOT* of security problems. su is
not really logging in the same as the user does.
Instead, assume that every user has the wrong umask and FORCE IT TO umask
022 in /etc/profile
*and* /etc/csh.login. Show no mercy. There are
hundreds, perhaps thousands of files created by
root as well as users that have MASSIVE security
problems caused by not having umask set at all.
NEVER create a set UID script. NEVER. It is the
first way in which a hacker attacks your system.
There is no need to respect user's privacy--their
settings may be compromising the very reasons the
computer exists or the reason you have so many
problems.
If you assume that every user is untrained or is
a hacker, you will do the right thing. There are
two glaring security holes on every HP-UX install.
One is umask not being set, and the other is the
permissions for /usr/local. Fix every machine you
have by forcing umask in the startup profiles,
fix /usr/local with:
find /usr/local -type -print d -exec chmod 755 {} \;
and then scan your entire system with:
find / -local -type d -perm -002 -exec ll [] \;
All 777 directories are serious problems
except /tmp and /var/tmp)
find / -local -type f -perm -002 -exec ll [] \;
All 666 files are trash and must NEVER be
trusted because they have already been hacked.
My standard challenge is: prove me wrong about
the hacked files.
If you assume that everyone is out to trash your
computers and you take definitive action, you'll
be a lot safer.
Bill
----------------------------------------------------------------------------
---------
Reply from Doug Wyatt:
Hi,
Couldn't just 'source' the .login and .cshrc for each user,
in turn, and then save the 'current' umask setting?
foreach user ( $userlist )
source ~${user}/.login
source ~${user}/.cshrc
set VAL=`umask`
"
"
It would be a bad idea if you could SUID a shell script.
It's not much better to run it as a cron job, created by
root, but you can't access different User's account info without being root
(unless you are using a verry permissive permissions scheme). I'd probably
either run such a script from cron, or perhaps try a compiled Perl program
running SUID root.
Regards,
Doug Wyatt
----------------------------------------------------------------------------
---------
Reply from Hubert Partl:
> Is there a simple method of determining what the 'umask' setting is
> for each defined user?
There is not *one* setting, the umask may be set in different start up files
and differently for different cases withing each file (for instance, for
telnet use and batch use).
> One method that I know of is to 'su' to that user's account
If you do not use "su -", then the user's startup files will not be run, and
you will only see the system default umask of the init process. However, if
you use "su -i", all the user's startup files will run and you do not know
what they might do, for instance, sending mail about previous commands or
logging user presence for over-hour fees... :-)
> and issue the 'umask' command. Another is to search through the home
> directory of each user and search the .profile file for a particular
> 'umask'
and the .login and .cshrc and .bashrc etc., and you might find several lines
that set umask to different values depending on if statements.
> I'd rather not have the script run from a 'root' user account, so
> what's the best way of determining and reporting the 'umask' settings
> for all defined users?
Why do you want to know their settings? Why cant you just teach them not to
use umask 000 oder 444 and chmod all files and directories with "bad"
permissions?
--
Hubert Partl partl@mail.boku.ac.at
ZID BOKU Wien <http://homepage.boku.ac.at/partl/>
http://homepage.boku.ac.at/partl/
----------------------------------------------------------------------------
---------
Reply from Amit Kumar:
Hello Bill,
You can try this way :
Change the ownerhip of script to root and group ownership to the user's
group who will be running
this script. Then Set SUID bit as well as give the exe permission for
group. Now this user can run
the script as root.
Hoping this will help you.
Thanks,
Amit
William H. Butcher III
ChevronTexaco Pipeline Company
2811 Hayes Road, Suite 3313F
Houston, Texas 77082
Office: (281)596-2847, Cellular: (281)543-9651
E-mail: <mailto:> bill.butcher@chevrontexaco.com
-----Original Question-----
HPUX Gurus,
I'm developing a series of csh scripts which periodically report
security-related information to system analysts. I'm running into a problem
when attempting to report the 'umask' settings for each user defined in the
/etc/passwd file.
Is there a simple method of determining what the 'umask' setting is for each
defined user? One method that I know of is to 'su' to that user's account
and issue the 'umask' command. Another is to search through the home
directory of each user and search the .profile file for a particular 'umask'
setting. Neither method is very elegant.
The prototype that I have running today is run as 'root' and loops through
the /etc/passwd file, using the 'su' command and issuing the 'umask' command
for each user. The script doesn't work when not run from 'root', even
though I set the SUID bit on the script and change to 'root' ownership.
I'd rather not have the script run from a 'root' user account, so what's the
best way of determining and reporting the 'umask' settings for all defined
users?
I'm running HPUX v10.20 on K-series servers and J-series workstations.
Thank you in advance for your ideas,
- Bill
William H. Butcher III
ChevronTexaco Pipeline Company
2811 Hayes Road, Suite 3313F
Houston, Texas 77082
Office: (281)596-2847, Cellular: (281)543-9651
E-mail: <mailto:> bill.butcher@chevrontexaco.com
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:19 EDT