Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > S

secure_sid_scripts(5)

Tunable Kernel Parameters
HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

secure_sid_scripts — controls whether setuid and setgid bits on scripts are honored

VALUES

Failsafe

0

Default

1

Allowed values

0-1

Recommended values

0-1

DESCRIPTION

This tunable controls whether setuid and setgid bits on executable scripts have any effect. Honoring set*id on scripts make a system vulnerable to attack by malicious users.

The default value for this variable is 1, indicating that set*id bits are to be ignored by the execve(2) system call for higher security. The tunable can be set to 0 for a compatibility with older releases at the expense of security. Hewlett-Packard strongly recommends that you not change the value of this tunable unless there is an urgent need to do so.

When a script with set*id bits is executed, the kernel generates the following error message to both the terminal controlling and the system log. (To view the error message, use dmesg(1M) or inspect /var/adm/syslog/syslog.log.)

  • Warning: Ignoring set*id bit on program_name as the tunable secure_sid_scripts is set.

Who is Expected to Change This Tunable?

Administrator.

Restrictions on Changing

Changes to this tunable take effect for new scripts started after the change.

When Should the Value of This Tunable Be Changed?

This tunable controls operational modes rather than data structure sizes and limits. The appropriate setting for a system depends on whether you consider security or compatibility to be most important.

A value of 0 is compatible with previous releases of HP-UX, but it is also less secure.

A value of 1 provides security against race condition attacks exploiting set*id scripts.

What Are the Side Effects of Changing the Value

This tunable controls only executable scripts (not programs) with set*id bit set. HP-UX does not ship with any such scripts. If the customer wishes to use set*id scripts, third party applications such as suidperl or sudo can be used. Alternatively, the shell script can be wrapped in a simple C program that runs the shell script with appropriate permissions:

#include <unistd.h> #include <stdlib.h> #include <string.h> #define SETUID_SCRIPT "/usr/local/bin/cdeject" int main(int argc, char *const argv[]) { if (strcmp(argv[1], SETUID_SCRIPT) == 0) { execv(argv[1], argv+1); perror(argv[0]); } else { fprintf(stderr, "%s is not a known setuid script\n", argv[1] ? argv[1] : "unspecified-script" ); } exit(1); }

What Other Tunable Values Should Be Changed at the Same Time?

None.

WARNINGS

None. All HP-UX kernel tunable parameters are release specific. This parameter may be removed or have its meaning changed in future releases of HP-UX.

Installation of optional kernel software, from HP or other vendors, may cause changes to tunable parameter values. After installation, some tunable parameters may no longer be at the default or recommended values. For information about the effects of installation on tunable values, consult the documentation for the kernel software being installed. For information about optional kernel software that was factory installed on your system, see HP-UX Release Notes at http://docs.hp.com.

FILES

/var/adm/syslog/syslog.log

AUTHOR

secure_sid_scripts was developed by HP.

SEE ALSO

chmod(1), execve(2), kctune(1M).

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.