On Tue, 6 Jun 2000, Philipp Buehler wrote:
> Theo de Raadt wrote To BUGTRAQ_at_SECURITYFOCUS.COM:
> > > 0) HP *still* insists on NOT setting the sticky bit on world-writeable
> > > temporary directories (/tmp and /var/tmp) on default installs of HPUX.
> > If this is the case, then any temporary file which gets reopened is
> > not safe. A *lot* of software does reopening by name.
> Handling temporary files is broken in so many scripts .. e.g. I just
> *wait* for the next broken Oracle installer for such a hole.
>
> Other point. I have 2 "default" installed HP-UX 10.20 boxes and I
> *have* the sticky bit set on /tmp which cures the problem by itself.
> Well, the behaviour of `man' is not nice anyway.
>
> Could the original poster elaborate on his "default" installation?
> I could only think of installations which are no TCB HP-UX. I will
> check the change logs, but I don't think the +t depends on that.
> You *should* use TCB anyway on HP-UX, or how do you want to manage
> "shadowed" passwords there properly?
> Or do you really want to live with word readable hashed passwords?
Hi Fips,
Either s/o changed this or you ordered those systems with instant ignition
(OS pre-installed), and s/o at HP did it.
It is a *fact* that until now (11.0/11.1 for V class systems) HP-UX
default installations have /tmp as well as /var/tmp both set to 0777.
A good point to start for practical help on how to secure a HP-UX system
is http://people.hp.se/stevesk/index.html . Changing the system state to a
trusted system only does not really improve system security in a
significant way.
Best regards,
Volker
--
V. T. Mueller UCC Freiburg, Germany vtmue (at) uni-freiburg.de
"Never send a human to do a machine's job" Agent Smith, The Matrix
Received on Jun 08 2000
Intro
