secure_sid_scripts(5)secure_sid_scripts(5)NAMEsecure_sid_scripts - controls whether setuid and setgid bits on scripts
are honored
VALUES
Failsafe
Default
Allowed values
Recommended values
DESCRIPTION
This tunable controls whether and bits on executable scripts have any
effect. Honoring on scripts make a system vulnerable to attack by
malicious users.
The default value for this variable is 1, indicating that bits are to
be ignored by the execve(2) system call for higher security. The tun‐
able can be set to 0 for a compatibility with older releases at the
expense of security. Hewlett-Packard strongly recommends that you not
change the value of this tunable unless there is an urgent need to do
so.
When a script with bits is executed, the kernel generates the following
error message to both the terminal controlling and the system log. (To
view the error message, use dmesg(1M) or inspect
Who is Expected to Change This Tunable?
Administrator.
Restrictions on Changing
Changes to this tunable take effect for new scripts started after the
change.
When Should the Value of This Tunable Be Changed?
This tunable controls operational modes rather than data structure
sizes and limits. The appropriate setting for a system depends on
whether you consider security or compatibility to be most important.
A value of is compatible with previous releases of HP-UX, but it is
also less secure.
A value of provides security against race condition attacks exploiting
scripts.
What Are the Side Effects of Changing the Value
This tunable controls only executable scripts (not programs) with bit
set. HP-UX does not ship with any such scripts. If the customer
wishes to use scripts, third party applications such as or can be used.
Alternatively, the shell script can be wrapped in a simple C program
that runs the shell script with appropriate permissions:
What Other Tunable Values Should Be Changed at the Same Time?
None.
WARNINGS
None. All HP-UX kernel tunable parameters are release specific. This
parameter may be removed or have its meaning changed in future releases
of HP-UX.
Installation of optional kernel software, from HP or other vendors, may
cause changes to tunable parameter values. After installation, some
tunable parameters may no longer be at the default or recommended val‐
ues. For information about the effects of installation on tunable val‐
ues, consult the documentation for the kernel software being installed.
For information about optional kernel software that was factory
installed on your system, see at
FILESAUTHOR
was developed by HP.
SEE ALSOchmod(1), execve(2), kctune(1M).
Tunable Kernel Parameters secure_sid_scripts(5)