SUID on ldapcfinfo and ldapuglist
Abstract
This article is a FAQ about the SUID settings on ldapcfinfo and ldapuglist command on HP-UX 11i Operating Environment.
Frequent Asked Questions
1. Does having the SUID Bit enable on ldapcfinfo and ldapuglist commands represents a security compromise?
No per see, but is a good idea to understand the issue, because third party security advisor program may prompt warnings releated to this fact.
2. Is SUID Bit really needed for these files? If so, why?
The SUID Bit is needed by those binaries to allow non root applications to obtain information from LDAP databases using interfaces more specific that the standard ldapsearch command.
- ldapcfinfo : programmatically provides LDAP-UX information to non-interactive applications
- ldapuglist: display and enumerate POSIX-like account and group entries in an LDAP directory server.
Sensu stricto, is not required if you don't have any tool or script that needs to pull ldap information under non privileged user.
On the other side, HP and Independent Vendor Providers may use these interfaces to obtain LDAP data for their own usage without requiring to run their own daemons as root, and that is always welcome.
3. If not required, will HP provide a fix release?
There is no current plan to change the SUID Bit on this files. There is no open JAG neither HP security advisors under these files. HP has decide to use SUID in this files and is their default configuration.
4. What are my options?
- Dismiss the security advisor warnings: Compliance tools some times are very generic. SUID files, a tradional UNIX backdoor and overflow problem always show alerts in these applications. It doesn't mean that there are actual exploits to these settings, just that it can happened and you should take protective measures.
- Change the permissions on this files to a more secure 0555: Understand that this may affect applications that relay in these binaries.
Are you using LDAP to centrally manage user accounts or to facilitate Windows Active Directory integration?. If not, that leads us to your last option. - Remove LDAP integration: If you don't use it, don't have it. The most secure service, is no service at all!
