Manualshelf

Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
781782783784785786787788789790
Administering a System: Managing System Security
Controlling Security on a Network
Chapter 8788
How to Safeguard NFS-Mounted Files
If possible, make sure that the same person administers both client
and server systems.
Maintain uniformity of user ID and group ID for server and client
systems.
Stay vigilant of /dev files in file systems exported from server.
Restrict write access to the /etc/passwd and /tcb/files/auth/*/*
client files.
For strictest control, audit every host that is accessible through the
network.
Link-Level Access
Link-level access is a very powerful facility that permits a programmer
to access the link driver on the host directly. In the wrong hands, this
capability can enable an ordinary user to fabricate any network packet,
including network control packets.
To protect link-level access, make sure that the files /dev/ether*,
/dev/ieee*, and /dev/lan* are owned and writable only by root. See
“Security Considerations for Device Files” on page 772.
CAUTION On HP-UX 11.0 and later systems, /dev/lan has a symbolic link to
/dev/dlpi; changing permissions on /dev/lan causes the permissions
on /dev/dlpi to be changed as well.
However, any DCE/RPC applications that do not run as UID 0 may
require write access to /dev/dlpi. Therefore, the permissions of 644 on
/dev/dlpi breaks these applications. Due to needing write access, for
DCE/RPC applications that do not run as UID 0, the permissions for
/dev/dlpi should be 666. For more information on /dev/dlpi, see the
manual Installing and Administering LAN/9000 Software.