RE: sticky bits, AIX and TMR/MNs

Michael:
Regarding your question on "why" set the sticky bit?  I have no idea - it
seems that to our security auditors, 777 permissions are okay if
accompanied by an active sticky bit.  I don't make the rules, I'm just
trying to follow them....  :)

Jamie Carl
Enterprise Systems Management
Phone: 614-213-7512




                                                                                
                                                 
                      <michael.staats@r                                         
                                                 
                      we.com>                  To:       
<tme10@xxxxxxxxxxxxxxxx>                                                
                      Sent by:                 cc:                              
                                                 
                      owner-tme10@lists        Subject:  RE: [tme10] sticky 
bits, AIX and TMR/MNs                                
                      .us.ibm.com                                               
                                                 
                                                                                
                                                 
                                                                                
                                                 
                      03/22/2005 01:35                                          
                                                 
                      AM                                                        
                                                 
                      Please respond to                                         
                                                 
                      tme10                                                     
                                                 
                                                                                
                                                 






> Our security team has done a "sweep" of our TMR and Gateways (all
running
> AIX) and identified numerous files with global rwx (777) permissions
within the Tivoli directory structure.  They want
> to activate the "sticky bit" on all of these files - I'm apprehensive
to say the least....  Sometimes files are 777
> because they need to be.  We're running TMF 4.1.1+, SWD 4.0+, INV
4.1+, DM 3.7+, ITM 5.1.2-FP2.

Hi,
you should be able to get away with rwxrwxr-x or rw-rw-r-- in most, if
not all cases, if setting up group memberships appropriate, although in
the case of tivoli that could mean to "chgrp nobody" some files.

But, whatever you do, what does "setting the sticky bit" on files
supposed affect security? Setting the t bit of an executable means "set
the save-text attribute", which is probably the most useless attribute
in a modern paging system.

Bye,
             Michael

--
Dr. Michael Staats
RWE Systems Computing GmbH
Data Center
SIC-PS Systems Management
Altenessener Str. 37/39
45141 Essen

T intern 70-26919
T extern +49(0)201/12-26919
F extern +49(0)201/12-24751
mailto:michael.staats@xxxxxxx
Intern bitte die neue Verteilerliste "VL SIC-PS Administration"
verwenden





This transmission may contain information that is privileged, confidential 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
STRICTLY PROHIBITED. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format. Thank you.