Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
101102103104105106107108109110
5.6 ACLs and NFS
The Network File System (NFS) has no facility to pass ACL information about remote
files. Therefore, ACLs are not visible on remote files by NFS. The ls -l command will
not show that ACLs exist on a remote file, but the ACL control over access permissions
remains effective.
Individual manpage entries specify the behavior of the various system calls, library calls,
and commands under these circumstances.
IMPORTANT: Use caution when transferring a file with optional entries over a network,
or when manipulating a remote file, because NFS can delete optional entries with no
notification.
5.7 Security Considerations for /dev Device Special Files
Access to all devices in the system is controlled by device special files, which enable
programs to be device independent. These files are shipped with permission settings that
enable proper use and maximum security.
If you install any other device special files, see insf(1M) for information about correct
permission settings.
Because device special files can be as vulnerable to tampering as any other file, observe
the following precautions:
Keep all device special files in the /dev directory.
Protect the memory files, /dev/mem and /dev/kmem, from casual access, because
these files contain sensitive user information. For example, a program that watches
memory for an invocation of the login program might copy the password from the
login program buffers when a user types it in. The file protections should be set
to:
crw-r----- 1 bin sys 3 0x000001 Jun 9 2006 /dev/kmem
crw-r----- 1 bin sys 3 0x000000 Jun 9 2006 /dev/mem
Protect all disk special files:
Write protect all disk special files from general users to prevent inadvertent data
corruption. Turn off write access for group and other.
Read protect disk special files to prevent disclosure. Turn off read access for
other.
The file protections should be set to:
brw-r----- 1 bin sys 31 0x002000 Feb 18 2004 /dev/dsk/c0t2d0
crw-r----- 1 bin sys 188 0x002000 Aug 3 2004 /dev/rdsk/c0t2d0
brw-r----- 1 root sys 64 0x000002 Jun 11 2006 /dev/vg00/lvol2
crw-r----- 1 root sys 64 0x000002 Jun 11 2006 /dev/vg00/rlvol2
Terminal ports on HP-UX systems are writable by anyone if you allow users to
communicate by using the write or talk programs. Permit only the owner to have
read permission.
5.6 ACLs and NFS 103