Manualshelf

NIO CommKit Host Interface Installation and System Administration Manual

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software
61626364656667686970
3-29
Control Tables (from AT&T 255-110-127)
srvtab
Server Table Entries Which Are Not Secure
Since the server table is the absolute arbiter of privilege for services pro-
vided by the CommKit Host Interface server program, server table
sequences which are not secure must be avoided to prevent unauthorized
access to the host system. Administrators should periodically check the
server table on each of their hosts and remove any entries which are not
secure. This section lists several server table entries which are not secure
and describes why they should be avoided. This list is not exhaustive; there
are other server table entries that can be equally as damaging. The adminis-
trator should use these examples as a tool for determining whether a speciļ¬c
server table entry is secure.
The remainder of this section consists of server table entries, each followed
by a brief description detailing why the entries should be avoided.
* rl U/vx root %s -Dsh
* rx /vaex root %s -Xsh:-c:%p
The previous server table entries are not secure. Both lines allow a requester
from any originating system on the data switch network to become the super
user on the called system directly. In addition, a normal user (not the super
user) on the called system can issue a remote login or execution request to
his/her own system (a loop-around request) and also obtain a super user
shell.
* rl U/vx *n %s -Dsh
* rx /vaex *n %s -Xsh:-c:%p
The above entries do not map all incoming remote login and remote execu-
tion requests to super user on the called system, but they will allow the super
user of any system in the network to become the super user on the called sys-
tem. Any user on a system with a numerical user ID in common with a user
on the called system can access the called sysem with the permissions of that
numerical user ID.
nj/yourcc/* rl U/vx *n %s -Dsh
The above server table entry limits external exposure to systems in the nj/
yourcc area and exchange. Any super user on a system in that area and
exchange can become super user on the called system. A normal user on an
originating system with a numerical user ID in common with the called sys-
tem can access the called system as in the previous example.