Unix/Linux Go Back    


HP-UX HP-UX (Hewlett Packard UniX) is Hewlett-Packard's proprietary implementation of the Unix operating system, based on System V.

Security hardening for standard HP-UX users

HP-UX


Reply    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 2 Weeks Ago   -   Original Discussion by anaigini45
anaigini45's Unix or Linux Image
anaigini45 anaigini45 is offline
Registered User
 
Join Date: Oct 2009
Last Activity: 28 November 2017, 11:49 AM EST
Posts: 98
Thanks: 4
Thanked 0 Times in 0 Posts
Security hardening for standard HP-UX users

Hi,

The standard accounts that are created during the HP-UX installation, eg, bin,adm,daemon,uucp,lp,hpdb and nobody have their own shell.

Will there be any impact if we change these user's shell to /bin/false?

Like processes get interrupted, files cannot be generated, etc.

Regards
Sponsored Links
    #2  
Old Unix and Linux 2 Weeks Ago   -   Original Discussion by anaigini45
MadeInGermany's Unix or Linux Image
MadeInGermany MadeInGermany is online now Forum Staff  
Moderator
 
Join Date: May 2012
Last Activity: 18 December 2017, 1:37 AM EST
Location: Simplicity
Posts: 3,872
Thanks: 322
Thanked 1,291 Times in 1,168 Posts
Are there any processes with any of these owners?

Code:
ps -fu bin,adm,daemon,uucp,lp,hpdb

These are probably affected.
IMHO, if the login password is locked/invalid, there is not much gain in disabling the login shell.
Sponsored Links
    #3  
Old Unix and Linux 2 Weeks Ago   -   Original Discussion by anaigini45
rbatte1's Unix or Linux Image
rbatte1 rbatte1 is offline Forum Staff  
Root armed
 
Join Date: Jun 2007
Last Activity: 15 December 2017, 1:10 PM EST
Location: Lancashire, UK
Posts: 3,411
Thanks: 1,477
Thanked 669 Times in 602 Posts
I agree. Have a look at /etc/shadow or wherever the credentials files are held (somewhere down /tcb/auth/files ?) where there is a file for each user. If the password is *LK* or something else that is not a random 13 character string, then they can't be logged onto anyway. In theory someone with super-user privilege could su to them without needing a password, but then they would have all privileges already.



Robin
    #4  
Old Unix and Linux 2 Weeks Ago   -   Original Discussion by anaigini45
Peasant's Unix or Linux Image
Peasant Peasant is offline Forum Advisor  
Registered User
 
Join Date: Mar 2011
Last Activity: 18 December 2017, 12:10 AM EST
Posts: 1,101
Thanks: 31
Thanked 331 Times in 285 Posts
/etc/shadow does not exist by default on HPUX system.

It is an additional install, and it should be done to harden the security, if required.
Otherwise, any user on the system can copy the /etc/passwd file and brute force the hashes.

You do not want to change those system users shell or anything else.
This is not a security issue nor it should be considered one since those users do not have a password defined.

Hope that helps
Regards
Peasant.
Sponsored Links
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Pop the users one by one in sudo cat /etc/security/user starter2011 UNIX for Dummies Questions & Answers 4 12-05-2011 11:27 AM
Security Issue with Standard Input? yall Shell Programming and Scripting 2 10-10-2006 11:04 AM



All times are GMT -4. The time now is 03:03 AM.