Re: HP Security vulnerability in the man command

[vtmue () UNI-FREIBURG DE (V. T. Mueller)]

On Tue, 6 Jun 2000, Philipp Buehler wrote:

> Theo de Raadt wrote To BUGTRAQ () SECURITYFOCUS COM:
> > > 0) HP *still* insists on NOT setting the sticky bit on world-writeable
> > > temporary directories (/tmp and /var/tmp) on default installs of HPUX.
> > If this is the case, then any temporary file which gets reopened is
> > not safe.  A *lot* of software does reopening by name.
> Handling temporary files is broken in so many scripts .. e.g. I just
> *wait* for the next broken Oracle installer for such a hole.
>
> Other point. I have 2 "default" installed HP-UX 10.20 boxes and I
> *have* the sticky bit set on /tmp which cures the problem by itself.
> Well, the behaviour of `man' is not nice anyway.
>
> Could the original poster elaborate on his "default" installation?
> I could only think of installations which are no TCB HP-UX. I will
> check the change logs, but I don't think the +t depends on that.
> You *should* use TCB anyway on HP-UX, or how do you want to manage
> "shadowed" passwords there properly?
> Or do you really want to live with word readable hashed passwords?

Hi Fips,

Either s/o changed this or you ordered those systems with instant ignition
(OS pre-installed), and s/o at HP did it.

It is a *fact* that until now (11.0/11.1 for V class systems) HP-UX
default installations have /tmp as well as /var/tmp both set to 0777.

A good point to start for practical help on how to secure a HP-UX system
is http://people.hp.se/stevesk/index.html . Changing the system state to a
trusted system only does not really improve system security in a
significant way.

Best regards,
Volker

--
V. T. Mueller      UCC Freiburg, Germany      vtmue (at) uni-freiburg.de

"Never send a human to do a machine's job"       Agent Smith, The Matrix