Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!wuarchive!gem.mps.ohio-state.edu!apple!bionet!agate!ucbvax!hplabs!hp-ses!hpcuhb!hpindda!human
From: human@hpindda.HP.COM (Aaron Schuman)
Newsgroups: comp.sys.hp
Subject: Re: HP-UX problems and suggestions (s800)
Message-ID: <4310060@hpindda.HP.COM>
Date: 28 Sep 89 23:33:43 GMT
References: <1717@zen.co.uk>
Organization: 1+408-447-3158
Lines: 64


Frank>	HP-UX is consistently shipped with inappropriate file
Frank>	permissions (mostly on executables).
Frank>	Specifically, executables are installed with read
Frank>	permission enabled.  This violates the principle of
Frank>	minimum information, and is a potential security problem,
Frank>	since unfriendly users can use the strings(1) utility
Frank>	to examine the data spaces of executables (or indeed
Frank>	the entire files) for clues on how to defeat protection
Frank>	mechanisms, for example.

Back in the old days, files were shipped with whatever
permissions the developers put on them.  Mistakes were made.
Then we got smart about file permissions - security fiends
got together with system integrators, defined default
permissions for different classes of files, checked for
exceptions, and required developers to justify exceptions.

When we were establishing the defaults, we did consider
the principle of minimum information.  We decided leave
executables readable because honest users have legitimate
reasons to read executables (running /usr/bin/what to
determine a version number before reporting a defect,
for instance), and because dishonest users are quite
likely to have access to some Unix-derived source code
anyway.  Even if it isn't HP-UX, it's probably similar.


Frank>	Another example: because of unnecessarily liberal file
Frank>	permissions, it is not hard to snoop on mail as it is
Frank>	being processed by sendmail(1M).  Denying 'other' read /
Frank>	search permissions on one directory solves the problem.

I read about that problem recently in Neil G.'s security mail
list, and wrote to HP's sendmail expert immediately.  He said:

David>	We do ship [the directory] world-readable/searchable.

David>	The configuration file we ship has always made the
David>	default queue file mode 600, plus if you don't set
David>	the default file mode at all, the default is also
David>	600 (in previous releases, including 3.1, mode 000).
David>	If HP-UX sendmail is making the queue files world
David>	readable, it's being system-administrator-configured
David>	to do so.


Your criticism of HP-UX is obviously carefully thought out,
and it is well received here.  I hope that somebody at HP
responds to each of your concerns, but even if some of them
are not addressed in replies to this note string, you can
be sure that your ideas are quoted in e-mail sent to the
people who are best able to implement them.

I'd also like to thank you for describing security concerns
in only as much detail as needed.  In the past, others have 
reported security problems in notes in cookbook detail.
To other readers of this note, please be discreet like
Frank!  If you discover a security defect, use notes to
ask someone to contact you.

				Aaron Schuman

				HP-UX Trusted Networks