Unix/Linux Go Back    


HP-UX HP-UX (Hewlett Packard UniX) is Hewlett-Packard's proprietary implementation of the Unix operating system, based on System V.

Security hardening for standard HP-UX users

HP-UX


Reply    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 11-28-2017   -   Original Discussion by anaigini45
anaigini45's Unix or Linux Image
anaigini45 anaigini45 is offline
Registered User
 
Join Date: Oct 2009
Last Activity: 27 March 2018, 12:02 AM EDT
Posts: 113
Thanks: 6
Thanked 0 Times in 0 Posts
Security hardening for standard HP-UX users

Hi,

The standard accounts that are created during the HP-UX installation, eg, bin,adm,daemon,uucp,lp,hpdb and nobody have their own shell.

Will there be any impact if we change these user's shell to /bin/false?

Like processes get interrupted, files cannot be generated, etc.

Regards
Sponsored Links
    #2  
Old Unix and Linux 11-28-2017   -   Original Discussion by anaigini45
MadeInGermany's Unix or Linux Image
MadeInGermany MadeInGermany is offline Forum Staff  
Moderator
 
Join Date: May 2012
Last Activity: 19 April 2018, 6:45 AM EDT
Location: Simplicity
Posts: 4,032
Thanks: 346
Thanked 1,356 Times in 1,222 Posts
Are there any processes with any of these owners?


Code:
ps -fu bin,adm,daemon,uucp,lp,hpdb

These are probably affected.
IMHO, if the login password is locked/invalid, there is not much gain in disabling the login shell.
Sponsored Links
    #3  
Old Unix and Linux 11-29-2017   -   Original Discussion by anaigini45
rbatte1's Unix or Linux Image
rbatte1 rbatte1 is offline Forum Staff  
Root armed
 
Join Date: Jun 2007
Last Activity: 19 April 2018, 8:53 AM EDT
Location: Lancashire, UK
Posts: 3,508
Thanks: 1,544
Thanked 689 Times in 619 Posts
I agree. Have a look at /etc/shadow or wherever the credentials files are held (somewhere down /tcb/auth/files ?) where there is a file for each user. If the password is *LK* or something else that is not a random 13 character string, then they can't be logged onto anyway. In theory someone with super-user privilege could su to them without needing a password, but then they would have all privileges already.



Robin
    #4  
Old Unix and Linux 11-30-2017   -   Original Discussion by anaigini45
Peasant's Unix or Linux Image
Peasant Peasant is offline Forum Advisor  
Registered User
 
Join Date: Mar 2011
Last Activity: 19 April 2018, 11:41 PM EDT
Posts: 1,157
Thanks: 32
Thanked 347 Times in 300 Posts
/etc/shadow does not exist by default on HPUX system.

It is an additional install, and it should be done to harden the security, if required.
Otherwise, any user on the system can copy the /etc/passwd file and brute force the hashes.

You do not want to change those system users shell or anything else.
This is not a security issue nor it should be considered one since those users do not have a password defined.

Hope that helps
Regards
Peasant.
Sponsored Links
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Pop the users one by one in sudo cat /etc/security/user starter2011 UNIX for Dummies Questions & Answers 4 12-05-2011 10:27 AM
Security Issue with Standard Input? yall Shell Programming and Scripting 2 10-10-2006 10:04 AM



All times are GMT -4. The time now is 01:13 AM.