HP-UX System Administrator's Guide: Security Management HP-UX 11i v3 (B3921-90020, September 2010)

Table Of Contents
Write protect all disk special files from general users to prevent inadvertent
data corruption. Turn off write access for group and other.
Read protect disk special files to prevent disclosure. Turn off read access for
other.
The file protections should be set to:
brw-r----- 1 bin sys 31 0x002000 Feb 18 2004 /dev/dsk/c0t2d0
crw-r----- 1 bin sys 188 0x002000 Aug 3 2004 /dev/rdsk/c0t2d0
brw-r----- 1 root sys 64 0x000002 Jun 11 2006 /dev/vg00/lvol2
crw-r----- 1 root sys 64 0x000002 Jun 11 2006 /dev/vg00/rlvol2
Terminal ports on HP-UX systems are writable by anyone if you allow users to
communicate by using the write or talk programs. Permit only the owner to
have read permission.
Do not permit individual users to own a device special file other than for a terminal
device or personal printer.
Before putting a disk or other mountable device of unknown origin into service,
check its files for device special files and setuid programs. See Section 5.9.
5.8 Protecting Disk Partitions and Logical Volumes
A Logical Volume Manager (LVM) is a common disk management tool. LVM divides
up the disk more easily than disk partitions, and the volumes can span multiple disks.
Volumes are logical devices that appear as a physical disk partition. You can use a
volume as a virtual disk partition for such applications as creating a file system or a
database.
Following are some security considerations regarding disk partitions and logical
volumes:
Ensure that the device special files for disk partitions and logical volumes are
readable only by root and perhaps by an account used for disk backups. See
Section 5.7.
Because ownership and permissions are stored in the inode, anyone with write
permission to a mounted partition can set the user ID for any file in that partition.
The file is subject to change regardless of the owner, bypassing the chmod system
call and other security checks.
If the device special file is writable, a user can open that file and access the raw
disk. The user can then directly edit the file system, read files, or change file
permissions and owners.
Make sure the file permissions forbid access to the device special file and allow
only root to read.
If a program, such as a database application, requires direct access to the partition,
reserve that partition exclusively for the program. Do not mount a partition as a
104 File System Security