Administrator's Guide
# userdbget -u username
The attributes configured for the user username are displayed. If an attribute is
misconfigured, reconfigure the attribute.
Problem 2: The user database is not functioning properly. If you need to check the user
database, enter the following command:
# userdbck
The userdbck command identifies and repairs problems in the user database.
2.6 Handling setuid and setgid Programs
Because they pose a potential security risk to the system, note which programs are
setuid (set user ID) and setgid (set group ID) programs. A system attacker can exploit
setuid and setgid programs, most often in one of two ways:
• By having a setuid or setgid program execute commands defined by the attacker,
either interactively or by script.
• By substituting bogus data for the data created by a program.
Follow these guidelines to secure setuid and setgid programs:
• Watch for any changes to setuid and setgid programs.
• Investigate further any programs that appear to be unnecessary setuid programs.
• Change the permission of a program that is unnecessarily a setuid program to a
setgid program. See chmod(1) and chmod(2) for more information.
The long form of the ls command (ll or ls -l) shows setuid programs by listing
S or s instead of - or x for the owner-execute permission. It shows setgid programs
by listing S or s instead of - or x for the group-execute permission.
You can expect to find setuid and setgid system files, but they should have the
same permissions as provided by the factory media, unless you have customized
them.
• Do not allow users to normally have setuid programs, especially when they use
setuid to users other than themselves.
• Examine the code of all programs imported from external sources for destructive
programs known as Trojan Horses. Never restore or install a setuid program for
which you have no source to examine.
• To allow users access to certain superuser programs, HP recommends that you use
Restricted SMH. Restricted SMH allows non-superusers to access particular areas of
SMH. See smh(1M) for details.
50 Administering User and System Security