Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!wuarchive!gem.mps.ohio-state.edu!apple!bionet!agate!ucbvax!hplabs!hp-ses!hpcuhb!hpindda!human From: human@hpindda.HP.COM (Aaron Schuman) Newsgroups: comp.sys.hp Subject: Re: HP-UX problems and suggestions (s800) Message-ID: <4310060@hpindda.HP.COM> Date: 28 Sep 89 23:33:43 GMT References: <1717@zen.co.uk> Organization: 1+408-447-3158 Lines: 64 Frank> HP-UX is consistently shipped with inappropriate file Frank> permissions (mostly on executables). Frank> Specifically, executables are installed with read Frank> permission enabled. This violates the principle of Frank> minimum information, and is a potential security problem, Frank> since unfriendly users can use the strings(1) utility Frank> to examine the data spaces of executables (or indeed Frank> the entire files) for clues on how to defeat protection Frank> mechanisms, for example. Back in the old days, files were shipped with whatever permissions the developers put on them. Mistakes were made. Then we got smart about file permissions - security fiends got together with system integrators, defined default permissions for different classes of files, checked for exceptions, and required developers to justify exceptions. When we were establishing the defaults, we did consider the principle of minimum information. We decided leave executables readable because honest users have legitimate reasons to read executables (running /usr/bin/what to determine a version number before reporting a defect, for instance), and because dishonest users are quite likely to have access to some Unix-derived source code anyway. Even if it isn't HP-UX, it's probably similar. Frank> Another example: because of unnecessarily liberal file Frank> permissions, it is not hard to snoop on mail as it is Frank> being processed by sendmail(1M). Denying 'other' read / Frank> search permissions on one directory solves the problem. I read about that problem recently in Neil G.'s security mail list, and wrote to HP's sendmail expert immediately. He said: David> We do ship [the directory] world-readable/searchable. David> The configuration file we ship has always made the David> default queue file mode 600, plus if you don't set David> the default file mode at all, the default is also David> 600 (in previous releases, including 3.1, mode 000). David> If HP-UX sendmail is making the queue files world David> readable, it's being system-administrator-configured David> to do so. Your criticism of HP-UX is obviously carefully thought out, and it is well received here. I hope that somebody at HP responds to each of your concerns, but even if some of them are not addressed in replies to this note string, you can be sure that your ideas are quoted in e-mail sent to the people who are best able to implement them. I'd also like to thank you for describing security concerns in only as much detail as needed. In the past, others have reported security problems in notes in cookbook detail. To other readers of this note, please be discreet like Frank! If you discover a security defect, use notes to ask someone to contact you. Aaron Schuman HP-UX Trusted Networks