Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Guidelines for Running a Secure System
Chapter 8776
Guidelines for Limiting Setuid Power
Use great caution if you add setuid-to-root programs to an existing
system. Adding a setuid-to-root program changes the system
configuration, and might compromise your security.
Enforce restrictive use of privileged programs through the following
suggestions:
• Use setuid and setgid only when absolutely necessary.
• Make sure that no setuid program is writable by others.
• Whenever possible, use setgid instead of setuid to reduce the scope of
damage that might result from coding flaws or breaches of security.
• Periodically search your file systems for new or modified setuid and
setgid programs. You can use the ncheck -s command.
• Know exactly what your setuid and setgid programs do, and verify
that they do only what is intended. Failing this, remove the program
or its setuid attribute.
• If you must copy a setuid program, make sure that the modes are
correct on the destination file.
• Write setuid programs so that they can be tested on noncritical data,
without setuid or setgid attributes. Apply these attributes only after
the code has been reviewed and all affected departments are satisfied
that the new programs maintain security.
• Make sure that a setuid program does not create files writable by
anyone other than its intended user.
• Reset the euid before an exec
*
() system call. Be aware that exec
*
()
may be called within other library routines, and be wary of using
routines (including popen(), system(), execlp(), and execvp())
that fork a shell to execute a program. See exec (2), popen (3S), and
system (3S).
• When writing setuid programs, use setresuid() around the pieces
of code that require privileges, to reduce the window of vulnerability.
See setresuid (2).
• Close all unnecessary file descriptors before calling exec
*
().
• Ensure that all variables (PATH, IFS) and the umask value in the
program’s environment are sufficiently restrictive.