Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 6 File System Security

Security Considerations for /dev Device Special Files


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

Access to all devices in the system is controlled by device special files, which enable programs to be device independent. These files are shipped with permission settings that enable proper use and maximum security.

If you install any other device special files, see insf(1M) for information about correct permission settings.

Because device special files can be as vulnerable to tampering as any other file, observe the following precautions:

  • Keep all device special files in the /dev directory.

  • Protect the memory files, /dev/mem and /dev/kmem, from casual access, because these files contain sensitive user information. For example, a program that watches memory for an invocation of the login program might copy the password from the login program buffers when a user types it in. The file protections should be set to:

    crw-r----- 1 bin sys 3 0x000001 Jun 9 2006 /dev/kmem crw-r----- 1 bin sys 3 0x000000 Jun 9 2006 /dev/mem
  • Protect all disk special files:

    • Write protect all disk special files from general users to prevent inadvertent data corruption. Turn off write access for group and other.

    • Read protect disk special files to prevent disclosure. Turn off read access for other.

    The file protections should be set to:

    brw-r----- 1 bin sys 31 0x002000 Feb 18 2004 /dev/dsk/c0t2d0 crw-r----- 1 bin sys 188 0x002000 Aug 3 2004 /dev/rdsk/c0t2d0 brw-r----- 1 root sys 64 0x000002 Jun 11 2006 /dev/vg00/lvol2 crw-r----- 1 root sys 64 0x000002 Jun 11 2006 /dev/vg00/rlvol2
  • Terminal ports on HP-UX systems are writable by anyone if you allow users to communicate by using the write or talk programs. Permit only the owner to have read permission.

  • Do not permit individual users to own a device special file other than for a terminal device or personal printer.

  • Before putting a disk or other mountable device of unknown origin into service, check its files for device special files and setuid programs. See Section .

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.