[15256] in bugtraq
Re: HP Security vulnerability in the man command
daemon@ATHENA.MIT.EDU (V. T. Mueller)
Thu Jun 8 14:45:07 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.HPX.4.20.0006071831450.17588-100000@heaven.ruf.uni-freiburg.de>
Date: Wed, 7 Jun 2000 18:39:46 +0200
Reply-To: "V. T. Mueller" <vtmue@UNI-FREIBURG.DE>
From: "V. T. Mueller" <vtmue@UNI-FREIBURG.DE>
X-To: Philipp Buehler <lists@fips.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000606105631.A6039@pohl.fips.de>
On Tue, 6 Jun 2000, Philipp Buehler wrote:
> Theo de Raadt wrote To BUGTRAQ@SECURITYFOCUS.COM:
> > > 0) HP *still* insists on NOT setting the sticky bit on world-writeable
> > > temporary directories (/tmp and /var/tmp) on default installs of HPUX.
> > If this is the case, then any temporary file which gets reopened is
> > not safe. A *lot* of software does reopening by name.
> Handling temporary files is broken in so many scripts .. e.g. I just
> *wait* for the next broken Oracle installer for such a hole.
>
> Other point. I have 2 "default" installed HP-UX 10.20 boxes and I
> *have* the sticky bit set on /tmp which cures the problem by itself.
> Well, the behaviour of `man' is not nice anyway.
>
> Could the original poster elaborate on his "default" installation?
> I could only think of installations which are no TCB HP-UX. I will
> check the change logs, but I don't think the +t depends on that.
> You *should* use TCB anyway on HP-UX, or how do you want to manage
> "shadowed" passwords there properly?
> Or do you really want to live with word readable hashed passwords?
Hi Fips,
Either s/o changed this or you ordered those systems with instant ignition
(OS pre-installed), and s/o at HP did it.
It is a *fact* that until now (11.0/11.1 for V class systems) HP-UX
default installations have /tmp as well as /var/tmp both set to 0777.
A good point to start for practical help on how to secure a HP-UX system
is http://people.hp.se/stevesk/index.html . Changing the system state to a
trusted system only does not really improve system security in a
significant way.
Best regards,
Volker
--
V. T. Mueller UCC Freiburg, Germany vtmue (at) uni-freiburg.de
"Never send a human to do a machine's job" Agent Smith, The Matrix
