Sponsored Content
Operating Systems AIX Why /bin/su permission with SUID? Post 302910425 by achenle on Thursday 24th of July 2014 11:29:52 AM
Old 07-24-2014
There's no other way to say it, so I'll say it: your auditor is incompetent.

There are numerous setuid programs in any Unix or Unix-style OS. Many of them need to be setuid for them to operate properly. "su" is one. X windows servers tend to be another. "passwd" also needs to be setuid or users won't be able to set their own passwords. Don't tell me that audit report says to remove the setuid bit from "passwd"...

There are many others, too.

I'd be real careful following the recommendations of that audit report. You're likely to find yourself with non-working systems.
These 3 Users Gave Thanks to achenle For This Post:
 

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

/bin/sh: bad interpreter: Permission denied

today i started the LFS book (version 4.0). Basically i am using slackware 9.0 to try and install a new linux completely from source on another partition. Now i took the book's recommendations and created a user called lfs so i wouldn't have to do the stuff as root, and i have got the new LFS... (4 Replies)
Discussion started by: Calum
4 Replies

2. UNIX for Dummies Questions & Answers

fuser: difference with bin/sh and bin/ksh shell script

Hi, I have a problem I don't understand with fuser. I launch a simple shell script mysleep.sh: I launch the command fuser -fu mysleep.sh but fuser doesn't return anything excepted: mysleep: Then I modify my script switching from #!/bin/sh to #!/bin/ksh I launch the command fuser -fu... (4 Replies)
Discussion started by: Peuj
4 Replies

3. Solaris

/usr/bin has been changed with 777 permission

Hello Guruz, Relay bad condition :mad: Some has changed the permission to 777 recursively for /usr/bin directory by mistake. Now all the permission looks to be 777 on /usr/bin Hence I am so many system related errors as 1 show below. When I am trying to change the password, I am getting... (5 Replies)
Discussion started by: bullz26
5 Replies

4. OS X (Apple)

I accidentally changed to only write permission on /usr/bin... please Help!

I accidentally changed to sudo chmod a=w to my /usr/bin folder on my macbook with OS 10.5.8... Please help! I can't even get into a terminal correctly cause it displays: -bash: uname: command not found -bash: cut: command not found -bash: uname: command not found -bash: cut: command not found... (6 Replies)
Discussion started by: scaryMac23
6 Replies

5. Red Hat

/bin strange permission, corrupted? [solved]

Hi I think my /bin is corrupted which is why I can’t boot my server.. Anyone knows what below file permission means? # ls -l /mnt/sysimage | grep bin drwxr-xr-x 2 root root 12288 Sep 29 11:23 sbin ?r--rw-x 41112 16694 1305152 0 Feb 10 2055 bin Tried overwriting, deleting,chmod,chown but... (0 Replies)
Discussion started by: halacil
0 Replies

6. OS X (Apple)

When to use /Users/m/bin instead of /usr/local/bin (& whats the diff?)?

Q1. I understand that /usr/local/bin means I can install/uninstall stuff in here and have any chance of messing up my original system files or effecting any other users. I created this directory myself. But what about the directory I didn't create, namely /Users/m/bin? How is that directory... (1 Reply)
Discussion started by: michellepace
1 Replies

7. Shell Programming and Scripting

[Solved] Retrieve all the permission of the /bin folder

hello friends, By mistake I have run find / -type f -exec chmod 644 {} \; now all permission has been chaged of /bin I am not able to change the permission. I am working on the virtuozzo VPS. Is their any way to retrieve the permission to 770 to /bin Note /bin/chmod also not executing... (2 Replies)
Discussion started by: sharlin
2 Replies

8. AIX

Redistribution bin required for AIX. j7r164redist.7.1.0.25.bin

Hi, I am planning to install a version of Informatica on my AIX box. It requires a specific java build in pap6470_27sr2-20141101_01(SR2). The current link for IBM 64-bit SDK for AIX®, JavaTM Technology Edition, Version 7 Release 1 has a more recent version in j7r164redist.7.1.0.75.bin. Is... (4 Replies)
Discussion started by: meetpraveens
4 Replies

9. UNIX for Dummies Questions & Answers

Difference between inbuilt suid programs and user defined root suid programs under bash shell?

Hey guys, Suppose i run passwd via bash shell. It is a suid program, which temporarily runs as root(owner) and modifies the user entries. However, when i write a C file and give 4755 permission and root ownership to the 'a.out' file , it doesn't run as root in bash shell. I verified this by... (2 Replies)
Discussion started by: syncmaster
2 Replies

10. Shell Programming and Scripting

Usage of #!/bin/sh vs #!/bin/bash shell scripts?

Some question about the usage of shell scripts: 1.) Are the commands of the base shell scripts a subset of bash commands? 2.) Assume I got a long, long script WITHOUT the first line. How can I find out if the script was originally designed für "sh" or "bash"? 3.) How can I check a given... (3 Replies)
Discussion started by: pstein
3 Replies
CHECKSECURITY(8)					      System Manager's Manual						  CHECKSECURITY(8)

NAME
checksecurity - check for changes to setuid programs SYNOPSIS
checksecurity DESCRIPTION
The checksecurity command scans the mounted files systems (subject to the filter defined in /etc/checksecurity.conf) and compares the list of setuid programs to the list created on the previous run. Any changes are printed to standard output. Also, it generates a list of nfs and afs filesystems that are mounted insecurely (i.e. they are missing the nodev and either the noexec or nosuid flags). checksecurity is run by cron on a daily basis, and the output stored in /var/log/setuid/setuid.changes. CONFIGURATION
The checksecurity.conf file defines several configuration variables: CHECKSECURITY_FILTER, CHECKSECURITY_NOFINDERRORS, CHECKSECURITY_NONF- SAFS, CHECKSECURITY_EMAIL, CHECKSECURITY_DEVICEFILTER, CHECKSECURITY_PATHFILTER, and LOGDIR. Each is described below. The CHECKSECURITY_FILTER environment variable which is the argument of 'grep -vE' applied to the output of the mount command. In other words, the value of CHECKSECURITY_FILTER is a regular expression that removes matching lines from those file systems that will be scanned. The default value removes all file systems of type proc, bind, msdos, iso9660, ncpfs, nfs, afs, smbfs, auto, ntfs, coda file systems, any- thing mounted on /dev/fd*, anything mounted on /mnt or /amd, and anything mounted with option nosuid or noexec. The checksecurity.conf file is sourced from checksecurity, so you could do some fairly tricky things to define CHECKSECURITY_FILTER. The CHECKSECURITY_NOFINDERRORS environment variable, if set to the literal "TRUE", disables find errors from checksecurity (actually, it re-routes them to /dev/null ). The CHECKSECURITY_NONFSAFS environment variable, if set to the literal "TRUE", disables the message about nfs and afs file systems that are mounted without the nodev and either the noexec or nosuid options. If set, the CHECKSECURITY_EMAIL variable defines who is sent a copy of the setuid.changes file. The CHECKSECURITY_DEVICEFILTER variable specifies a find clause for which matching block and character device files will not be monitored for changing owners and permissions. For example, if you don't want to check for permission changes on tty device files beneath /dev, you could set the following: CHECKSECURITY_DEVICEFILTER='-path /dev/tty*' Note that any added or modified suid programs under that path would still be detected. If you want to specify multiple expressions, sepa- rate them with '-o', but there is no need to surround the whole clause with parentheses. To disable this filter, specify it as '-false' (which is the default). Note that if the system gets restarted often checksecurity will report a lot of changes in the /dev/ subdirectory due to timestamp changes. In this case you might want to change it to: CHECKSECURITY_DEVICEFILTER='-path /dev/' The CHECKSECURITY_PATHFILTER variable specifies a find clause which will be pruned from the search path. This means that the entire sub- tree will be completely skipped. Thus, specifying CHECKSECURITY_PATHFILTER='-path /var/ftp' then the entire /var/ftp tree will be skipped. To disable this filter, specify it as '-false' (which is the default). LOGDIR sets the name of the directory which stores the files which track the permission and ownership changes. By default, they are in /var/log/setuid. FILES
/etc/checksecurity.conf checksecurity configuration file /var/log/setuid/setuid.today setuid files from the most recent run /var/log/setuid/setuid.yesterday setuid files from the previous run Debian Linux 2 February 1997 CHECKSECURITY(8)
All times are GMT -4. The time now is 07:54 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy