Disabling C2 features
In addition to customizing security defaults, you can also
selectively disable C2 features to ensure compatibility with
utilities that expect traditional UNIX system behavior.
(In the Low and Traditional defaults, most C2 features are
disabled by default). The following key features can
be switched on or off by changing the associated kernel
parameter:
LUID enforcement-
Under C2 requirements, every process must have a login user ID
(LUID). This means that processes which set UIDs
or GIDs, such as the
printer scheduler (lpsched), must have an LUID set when
started at system startup in /etc/rc2.d. This can cause
problems with setuid programs. When the security
mode is set to a lesser mode (that is, not ``High''), enforcement of
login user ID (LUID) is relaxed and setuid
programs do not require an LUID to run.
This feature is enabled by default when the High security default
is selected, but it can be enabled or disabled by modifying the
SECLUID kernel parameter. A value of 0 disables the enforcement
of LUID.
Clearing of SUID/SGID bits on write-
Under C2 requirements, the set user ID (SUID or
setuid) and set group ID (SUID or
setgid) bits on files must be
cleared (removed) when a file is written. This prevents
someone from replacing the contents of a setuid binary,
but this can cause problems with programs that do not expect
this behavior. In the lower security defaults,
SUID and SGID bits are not cleared when files are written.
This feature is enabled by default when the High security default
is selected, but it can be enabled or disabled by modifying the
SECCLEARID kernel parameter. A value of 0 disables this feature.
stopio(S) on devices-
The
stopio(S)
call is used under C2 to ensure that a device
is not held open by another process after it is reallocated.
This means that other processes attempting to access the same
device are killed.
In the lower security defaults,
stopio(S)
is not called.
This feature is enabled by default when the High security default
is selected, but it can be enabled or disabled by modifying the
SECSTOPIO kernel parameter. A value of 0 disables this feature.
These parameters can be changed by invoking the
configure(ADM)
command and selecting category 8: ``Security,'' and changing
the parameter desired. The kernel must then be relinked
and booted for the new behavior to take effect. See
``Rebuilding the kernel''.
Next topic:
Troubleshooting system security
Previous topic:
Sticky directories
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005