HP-UX 11i Security - Ability to Change Login UMASK on Trusted Systems from Default 077 with General Release Patches for HP-UX 11.23 and HP-UX 11.31
Issue
A default login umask can be configured via the UMASK attribute described in security(4) . Currently, for a login into a Trusted System, the pam_unix(5) PAM module does not allow the default umask to be less restrictive than 077 . This restriction is not normally an issue for an interactive login session (such as telnet or rlogin), because the umask can be reset later (for example in the /etc/profile file).
However, this restriction can be an issue in other situations, for example, remsh a command/script, ssh a command/script, rcp , scp , ftp , or sftp .
The restrictive umask prevents these commands from creating files with access permissions less restrictive than 0700 .
Example :
The remote execution to a Trusted System shows default restricted umask 077 :
user1@barbados# ssh nut umask
Password:
077
user1@barbados# remsh nut umask
077
Solution
HP-UX engineering has delivered General Release (GR) patches with the option to be able to change the default login umask setting on a Trusted System. Along with required patch or patches, the existence of a trigger file in the /etc/default directory called BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS is required. If this file exists, then pam_unix does not impose any additional trusted_system restrictions on the umask . This allows Services to use a less restrictive default umask value, as configured in the /etc/default/security file.
However, Services, such as telnet or rlogin, will continue to use the restrictive umask of 077 as the default.
The following are GR patches available for enabling this option:
HP-UX 11.31 Patch PHCO_39232, libpam_hpsec.
HP-UX 11.23 Patches PHCO_39230, libpam_unix AND PHCO_39231, libpam_hpsec.
HP-UX 11.11 no Patch available, option not be available with this release.
After installing the appropriate patch or patches, follow the patch instructions (detailed in the Patch Descriptions) as follows:
Manually create the required trigger file in /etc/default as follows:
/etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
rw-rw-rw- 1 root bin Feb 13 10:41 BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
Modify the umask setting in file /etc/default/security to the desired setting.
Example :
#UMASK 022
to
UMASK 022
Example :
The remote command execution to a Trusted System now uses the desired umask setting (022 ) defined in the /etc/default/security _file:
user1@barbados# ssh nut umask
Password:
022
user1@barbados# remsh nut umask
022
=======================================
Issue : when user was copying files using “scp” without –p option from source server to target server, he’s getting the permission issue on copied files on target server.
He’s getting 600 permissions
ssh hcsftpsm@Jupitor.jnj.com umask is showing 077
Target server OS : 11.31
Sol : -
Verify the patches mentioned in the above document is installed or not on target server as below : -
#-> swlist -l patch |grep -i PHCO_40072
PHCO_40072.CORE-64SLIB 1.0 OS-Core.CORE-64SLIB applied
#-> swlist -a supersedes -l fileset | grep -E 'PHCO_39232|PHCO_40072'
# PHCO_40072
PHCO_40072.CORE-64SLIB PHCO_36743.CORE-64SLIB,fr=* PHCO_38601.CORE-64SLIB,fr=* PHCO_38824.CORE-64SLIB,fr=* PHCO_39232.CORE-64SLIB,fr=*
PHCO_40072.CORE-ENG-A-MAN PHCO_36743.CORE-ENG-A-MAN,fr=* PHCO_38601.CORE-ENG-A-MAN,fr=* PHCO_38824.CORE-ENG-A-MAN,fr=* PHCO_39232.CORE-ENG-A-MAN,fr=*
PHCO_40072.CORE-SHLIBS PHCO_36743.CORE-SHLIBS,fr=* PHCO_38601.CORE-SHLIBS,fr=* PHCO_38824.CORE-SHLIBS,fr=* PHCO_39232.CORE-SHLIBS,fr=*
PHCO_40072.CORE2-64SLIB PHCO_36743.CORE2-64SLIB,fr=* PHCO_38601.CORE2-64SLIB,fr=* PHCO_38824.CORE2-64SLIB,fr=* PHCO_39232.CORE2-64SLIB,fr=*
PHCO_40072.CORE2-SHLIBS PHCO_36743.CORE2-SHLIBS,fr=* PHCO_38601.CORE2-SHLIBS,fr=* PHCO_38824.CORE2-SHLIBS,fr=* PHCO_39232.CORE2-SHLIBS,fr=*
[root@Jupitor:/etc/opt/ssh]#
#-> swlist -l patch |grep -i PHCO_41282
[root@Jupitor:/etc/opt/ssh]#
#-> swlist -a supersedes -l fileset | grep -E 'PHCO_41282'
PHCO_41859.RBAC-CONF PHCO_36479.RBAC-CONF,fr=* PHCO_37832.RBAC-CONF,fr=* PHCO_38583.RBAC-CONF,fr=* PHCO_40131.RBAC-CONF,fr=* PHCO_40362.RBAC-CONF,fr=* PHCO_41282.RBAC-CONF,fr=*
PHCO_41859.RBAC-ENG-A-MAN PHCO_36479.RBAC-ENG-A-MAN,fr=* PHCO_37832.RBAC-ENG-A-MAN,fr=* PHCO_38583.RBAC-ENG-A-MAN,fr=* PHCO_40131.RBAC-ENG-A-MAN,fr=* PHCO_40362.RBAC-ENG-A-MAN,fr=* PHCO_41282.RBAC-ENG-A-MAN,fr=*
PHCO_41859.RBAC-RUN PHCO_36479.RBAC-RUN,fr=* PHCO_37832.RBAC-RUN,fr=* PHCO_38583.RBAC-RUN,fr=* PHCO_40131.RBAC-RUN,fr=* PHCO_40362.RBAC-RUN,fr=* PHCO_41282.RBAC-RUN,fr=*
[root@Jupitor:/etc/opt/ssh]#
Required patched installed on the server, now proceed with below steps :-
[root@Jupitor:/.root]#
#-> ll /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
/etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS not found
[root@Jupitor:/.root]#
#-> touch /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
[root@Jupitor:/.root]#
#-> chmod 666 /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
[root@Jupitor:/.root]#
#-> chown root:bin /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
[root@Jupitor:/.root]#
#-> ll /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
-rw-rw-rw- 1 root bin 0 Sep 17 18:08 /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
[root@Jupitor:/.root]#
#-> cat /etc/default/security |grep -i umask
# Default umask value upon login. Note: This
# attribute controls umask(2) of all sessions
# UMASK=0022
UMASK=022
[root@Jupitor:/.root]#
Verify/copy the files now, issue resolved.
You will get 644 permissions for the copied files.
ssh hcsftpsm@Jupitor.jnj.com umask is showing 022
Issue
A default login umask can be configured via the UMASK attribute described in security(4) . Currently, for a login into a Trusted System, the pam_unix(5) PAM module does not allow the default umask to be less restrictive than 077 . This restriction is not normally an issue for an interactive login session (such as telnet or rlogin), because the umask can be reset later (for example in the /etc/profile file).
However, this restriction can be an issue in other situations, for example, remsh a command/script, ssh a command/script, rcp , scp , ftp , or sftp .
The restrictive umask prevents these commands from creating files with access permissions less restrictive than 0700 .
Example :
The remote execution to a Trusted System shows default restricted umask 077 :
user1@barbados# ssh nut umask
Password:
077
user1@barbados# remsh nut umask
077
Solution
HP-UX engineering has delivered General Release (GR) patches with the option to be able to change the default login umask setting on a Trusted System. Along with required patch or patches, the existence of a trigger file in the /etc/default directory called BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS is required. If this file exists, then pam_unix does not impose any additional trusted_system restrictions on the umask . This allows Services to use a less restrictive default umask value, as configured in the /etc/default/security file.
However, Services, such as telnet or rlogin, will continue to use the restrictive umask of 077 as the default.
The following are GR patches available for enabling this option:
HP-UX 11.31 Patch PHCO_39232, libpam_hpsec.
HP-UX 11.23 Patches PHCO_39230, libpam_unix AND PHCO_39231, libpam_hpsec.
HP-UX 11.11 no Patch available, option not be available with this release.
After installing the appropriate patch or patches, follow the patch instructions (detailed in the Patch Descriptions) as follows:
Manually create the required trigger file in /etc/default as follows:
/etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
rw-rw-rw- 1 root bin Feb 13 10:41 BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
Modify the umask setting in file /etc/default/security to the desired setting.
Example :
#UMASK 022
to
UMASK 022
Example :
The remote command execution to a Trusted System now uses the desired umask setting (022 ) defined in the /etc/default/security _file:
user1@barbados# ssh nut umask
Password:
022
user1@barbados# remsh nut umask
022
=======================================
Issue : when user was copying files using “scp” without –p option from source server to target server, he’s getting the permission issue on copied files on target server.
He’s getting 600 permissions
ssh hcsftpsm@Jupitor.jnj.com umask is showing 077
Target server OS : 11.31
Sol : -
Verify the patches mentioned in the above document is installed or not on target server as below : -
#-> swlist -l patch |grep -i PHCO_40072
PHCO_40072.CORE-64SLIB 1.0 OS-Core.CORE-64SLIB applied
#-> swlist -a supersedes -l fileset | grep -E 'PHCO_39232|PHCO_40072'
# PHCO_40072
PHCO_40072.CORE-64SLIB PHCO_36743.CORE-64SLIB,fr=* PHCO_38601.CORE-64SLIB,fr=* PHCO_38824.CORE-64SLIB,fr=* PHCO_39232.CORE-64SLIB,fr=*
PHCO_40072.CORE-ENG-A-MAN PHCO_36743.CORE-ENG-A-MAN,fr=* PHCO_38601.CORE-ENG-A-MAN,fr=* PHCO_38824.CORE-ENG-A-MAN,fr=* PHCO_39232.CORE-ENG-A-MAN,fr=*
PHCO_40072.CORE-SHLIBS PHCO_36743.CORE-SHLIBS,fr=* PHCO_38601.CORE-SHLIBS,fr=* PHCO_38824.CORE-SHLIBS,fr=* PHCO_39232.CORE-SHLIBS,fr=*
PHCO_40072.CORE2-64SLIB PHCO_36743.CORE2-64SLIB,fr=* PHCO_38601.CORE2-64SLIB,fr=* PHCO_38824.CORE2-64SLIB,fr=* PHCO_39232.CORE2-64SLIB,fr=*
PHCO_40072.CORE2-SHLIBS PHCO_36743.CORE2-SHLIBS,fr=* PHCO_38601.CORE2-SHLIBS,fr=* PHCO_38824.CORE2-SHLIBS,fr=* PHCO_39232.CORE2-SHLIBS,fr=*
[root@Jupitor:/etc/opt/ssh]#
#-> swlist -l patch |grep -i PHCO_41282
[root@Jupitor:/etc/opt/ssh]#
#-> swlist -a supersedes -l fileset | grep -E 'PHCO_41282'
PHCO_41859.RBAC-CONF PHCO_36479.RBAC-CONF,fr=* PHCO_37832.RBAC-CONF,fr=* PHCO_38583.RBAC-CONF,fr=* PHCO_40131.RBAC-CONF,fr=* PHCO_40362.RBAC-CONF,fr=* PHCO_41282.RBAC-CONF,fr=*
PHCO_41859.RBAC-ENG-A-MAN PHCO_36479.RBAC-ENG-A-MAN,fr=* PHCO_37832.RBAC-ENG-A-MAN,fr=* PHCO_38583.RBAC-ENG-A-MAN,fr=* PHCO_40131.RBAC-ENG-A-MAN,fr=* PHCO_40362.RBAC-ENG-A-MAN,fr=* PHCO_41282.RBAC-ENG-A-MAN,fr=*
PHCO_41859.RBAC-RUN PHCO_36479.RBAC-RUN,fr=* PHCO_37832.RBAC-RUN,fr=* PHCO_38583.RBAC-RUN,fr=* PHCO_40131.RBAC-RUN,fr=* PHCO_40362.RBAC-RUN,fr=* PHCO_41282.RBAC-RUN,fr=*
[root@Jupitor:/etc/opt/ssh]#
Required patched installed on the server, now proceed with below steps :-
[root@Jupitor:/.root]#
#-> ll /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
/etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS not found
[root@Jupitor:/.root]#
#-> touch /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
[root@Jupitor:/.root]#
#-> chmod 666 /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
[root@Jupitor:/.root]#
#-> chown root:bin /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
[root@Jupitor:/.root]#
#-> ll /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
-rw-rw-rw- 1 root bin 0 Sep 17 18:08 /etc/default/BYPASS_TRUSTED_SYSTEM_UMASK_RESTRICTIONS
[root@Jupitor:/.root]#
#-> cat /etc/default/security |grep -i umask
# Default umask value upon login. Note: This
# attribute controls umask(2) of all sessions
# UMASK=0022
UMASK=022
[root@Jupitor:/.root]#
Verify/copy the files now, issue resolved.
You will get 644 permissions for the copied files.
ssh hcsftpsm@Jupitor.jnj.com umask is showing 022
No comments:
Post a Comment