|
Home > Archive > Unix administration > May 2004 > Necessary world-writable files/directories
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Necessary world-writable files/directories
|
|
| Kevin Collins 2004-05-14, 2:34 pm |
| Hi,
I've got a list of world-writable files and directories that exist on ALL
my HP-UX systems. There are a few which I suspect may be needed for normal
operations, however since we ignite all of our systems from the same image, its
possible that some of these have been wrong "forever" in our environment.
If you can shed any light on these, I would greatly appreciate it.
/opt/apache/logs
/opt/tomcat/logs
/opt/tomcat/work
/var/X11/Xserver/logs
/var/adm/automount.log
/var/adm/streams
/var/dmi/socket/dmispSocket
/var/news
/var/obam/translated
/var/opt/common
/var/opt/omni/log
/var/opt/perf/datafiles/.perflbd.socket
/var/preserve
/var/rbootd
/var/spool/pwgr/daemon
/var/spool/uucppublic
/var/stm/config/tools/exercise/hosts.cfg
/var/stm/logs/ui_activity_log
Thanks,
Kevin
| |
| Ronald D. Morley 2004-05-16, 6:34 pm |
| Kevin Collins on Friday 14 May 2004 14:43 using recycled electrons
wrote:
> Hi,
>
> I've got a list of world-writable files and directories that exist on
> ALL my HP-UX systems. There are a few which I suspect may be needed
> for normal operations, however since we ignite all of our systems from
> the same image, its possible that some of these have been wrong
> "forever" in our environment.
>
> If you can shed any light on these, I would greatly appreciate it.
>
> /opt/apache/logs
> /opt/tomcat/logs
> /opt/tomcat/work
> /var/X11/Xserver/logs
> /var/adm/automount.log
> /var/adm/streams
> /var/dmi/socket/dmispSocket
> /var/news
> /var/obam/translated
> /var/opt/common
> /var/opt/omni/log
> /var/opt/perf/datafiles/.perflbd.socket
> /var/preserve
> /var/rbootd
> /var/spool/pwgr/daemon
> /var/spool/uucppublic
> /var/stm/config/tools/exercise/hosts.cfg
> /var/stm/logs/ui_activity_log
>
> Thanks,
>
> Kevin
Hi Kevin,
It's been a while since I've worked with HP-UX, though I don't think
this is an HP-UX specific issue per se. AFAIK none of the log files
should be world writable. They should be writable only by the
application that owns them and should have perms 750. You don't want
world writable logs as they are your main way of detecting and tracing
possible cracking activity.
Likewise, the pwgr/daemon should be writable only by its owner. I
don't recall for certain, but I believe that this daemon can safely
have 750 perms also. It should definitely not be world writable as
that introduces a possible backdoor/trojan to anyone who can compromise
it. That holds true for executables in general; keep their perms as
tight as possible and never grant the world write access to them.
HTH,
Ron
--
Little known facts: the dirtiest words used on television during the
1950's were uttered by June Cleaver.
"Gee, Ward, weren't you a little hard on the Beaver last night?"
GnuPG key available at: pgp.mit.edu
|
|
|
|
|