Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
41424344454647484950
# userdbget -u username
The attributes configured for the user username are displayed. If an attribute is
misconfigured, reconfigure the attribute.
Problem 2: The user database is not functioning properly. If you need to check the user
database, enter the following command:
# userdbck
The userdbck command identifies and repairs problems in the user database.
2.6 Handling setuid and setgid Programs
Because they pose a potential security risk to the system, note which programs are
setuid (set user ID) and setgid (set group ID) programs. A system attacker can exploit
setuid and setgid programs, most often in one of two ways:
By having a setuid or setgid program execute commands defined by the attacker,
either interactively or by script.
By substituting bogus data for the data created by a program.
Follow these guidelines to secure setuid and setgid programs:
Watch for any changes to setuid and setgid programs.
Investigate further any programs that appear to be unnecessary setuid programs.
Change the permission of a program that is unnecessarily a setuid program to a
setgid program. See chmod(1) and chmod(2) for more information.
The long form of the ls command (ll or ls -l) shows setuid programs by listing
S or s instead of - or x for the owner-execute permission. It shows setgid programs
by listing S or s instead of - or x for the group-execute permission.
You can expect to find setuid and setgid system files, but they should have the
same permissions as provided by the factory media, unless you have customized
them.
Do not allow users to normally have setuid programs, especially when they use
setuid to users other than themselves.
Examine the code of all programs imported from external sources for destructive
programs known as Trojan Horses. Never restore or install a setuid program for
which you have no source to examine.
To allow users access to certain superuser programs, HP recommends that you use
Restricted SMH. Restricted SMH allows non-superusers to access particular areas of
SMH. See smh(1M) for details.
50 Administering User and System Security