RE: sticky bits, AIX and TMR/MNs

Hi,
well, this is (more or less) ok for directories, where the sticky bit
has a completely different meaning. But to set it on files is completely
useless. So, if you just "follow the process" and accept the rules as
they are (depending on your environment a completely understandable
point of view :-), just set the sticky bit on files. It will do no harm,
and your security guys are happy. But be careful with directories, in
that case I'd agree to set the sticky bit from a security point of view,
but it may or may not harm your applications or scripts.
Bye,
        Michael

-- 
Dr. Michael Staats
RWE Systems Computing GmbH
Data Center
SIC-PS Systems Management
Altenessener Str. 37/39
45141 Essen

T intern 70-26919
T extern +49(0)201/12-26919
F extern +49(0)201/12-24751
mailto:michael.staats@xxxxxxx
Intern bitte die neue Verteilerliste "VL SIC-PS Administration"
verwenden


-----Original Message-----
From: owner-tme10@xxxxxxxxxxxxxxxx [mailto:owner-tme10@xxxxxxxxxxxxxxxx]
On Behalf Of jamie_w_carl@xxxxxxxxxxx
Sent: Tuesday, March 22, 2005 2:57 PM
To: tme10@xxxxxxxxxxxxxxxx
Subject: RE: [tme10] sticky bits, AIX and TMR/MNs


Michael:
Regarding your question on "why" set the sticky bit?  I have no idea -
it seems that to our security auditors, 777 permissions are okay if
accompanied by an active sticky bit.  I don't make the rules, I'm just
trying to follow them....  :)

Jamie Carl
Enterprise Systems Management
Phone: 614-213-7512




 

                      <michael.staats@r

                      we.com>                  To:
<tme10@xxxxxxxxxxxxxxxx>                                                
                      Sent by:                 cc:

                      owner-tme10@lists        Subject:  RE: [tme10]
sticky bits, AIX and TMR/MNs                                
                      .us.ibm.com

 

 

                      03/22/2005 01:35

                      AM

                      Please respond to

                      tme10

 







> Our security team has done a "sweep" of our TMR and Gateways (all
running
> AIX) and identified numerous files with global rwx (777) permissions
within the Tivoli directory structure.  They want
> to activate the "sticky bit" on all of these files - I'm apprehensive
to say the least....  Sometimes files are 777
> because they need to be.  We're running TMF 4.1.1+, SWD 4.0+, INV
4.1+, DM 3.7+, ITM 5.1.2-FP2.

Hi,
you should be able to get away with rwxrwxr-x or rw-rw-r-- in most, if
not all cases, if setting up group memberships appropriate, although in
the case of tivoli that could mean to "chgrp nobody" some files.

But, whatever you do, what does "setting the sticky bit" on files
supposed affect security? Setting the t bit of an executable means "set
the save-text attribute", which is probably the most useless attribute
in a modern paging system.

Bye,
             Michael

--
Dr. Michael Staats
RWE Systems Computing GmbH
Data Center
SIC-PS Systems Management
Altenessener Str. 37/39
45141 Essen

T intern 70-26919
T extern +49(0)201/12-26919
F extern +49(0)201/12-24751
mailto:michael.staats@xxxxxxx
Intern bitte die neue Verteilerliste "VL SIC-PS Administration"
verwenden





This transmission may contain information that is privileged,
confidential and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained
herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
received this transmission in error, please immediately contact the
sender and destroy the material in its entirety, whether in electronic
or hard copy format. Thank you.