Manualshelf

HP CIFS Server Administrator's Guide (5900-1282, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
131132133134135136137138139140
Restricting Execute Permission on Stacks
A common method of breaking into a system is by maliciously overflowing buffers on a program's
stack, such as passing unusually long command line arguments to a privileged program that does
not expect them. Malicious unprivileged users can use this technique to trick a privileged program
into starting a superuser shell for them, or to perform similar unauthorized actions.
One effective way to reduce the risk from this type of attack is to remove the execute permission
from the program's stack pages. This improves system security without impacting performance and
has no negative effects on the majority of legitimate applications.
The HP CIFS Server does not require execution on the stack. While the HP CIFS Server attempts
to prevent buffer overflow possibilities, you can set the HP-UX kernel tunable parameter,
executable_stack , to disallow stack execution to provide a layer of protection from malicious
attacks. For details, refer to man pages for chatr.
Restricting User Access
In addtion to authentication services, the HP CIFS Server provides the configuration parameters,
valid users and invalid users, in the smb.conf file, which you can use to further restrict
access to your CIFS server. You can configure the admin users parameter to provide
administration capabilities only to the users listed with this parameter, to restrict its use.
For example, you can configure the valid users option in the smb.conf file as follows:
[global]
valid users = @smbusers, jack
This restricts all server access to either the user, jack, and to members of the system group,
smbusers.
Automatically Receiving HP Security Bulletins
You can subscribe to automatically receive future HP Security Bulletins or other technical digests
from the HP IT Resource Center (ITRC) via electronic mail.
Use the following steps to register for and subscribe to HP Security Bulletins:
1. Use your browser to get to the HP IT Resource Center web site at: http://itrc.hp.com
2. Use your existing login or use the Register button to create a login for gaining access to many
areas of the ITRC. Remember to save your user ID and password.
3. Choose the Support Information Digests option under the Notification section (near the
bottom of page).
4. To subscribe future HP Security Bulletins or other technical digests, click the check box for the
appropriate digest and then click the Update Subcriptions button.
To review bulletins already released, choose the link for the appropriate digest.
You can find your ITRC account security bulletins at:
http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin
136 Securing HP CIFS Server