Update Mixed Mode Agent Binaries With SUID Root To More Restrictive Permissions

Update Mixed Mode Agent Binaries With SUID Root To More Restrictive Permissions

When setting up an agent to run as a non-root user in mixed mode several binaries are set with the suid root bit to allow those binaries to perform their required functions as root. There are three binaries specifically that have the suid bit set for root.

-r-sr-xr-x. 1 root bin      68424 May 7 2018 /opt/OV/bin/oacore
-r-sr-x---. 1 root opcgrp  595727 May 7 2018 /opt/OV/bin/ovbbccb
-r-sr-xr-x. 1 root root   7603036 Oct 8 2018 /opt/OV/hpcs/hpsensor

The ovbbccb process needs suid to bind to port 383. After startup it drops to non-root. The permissions are what is required for the non-root control daemon in a mixed mode deployment to start it up. This is a good example of a least privilege setup.

The oacore and hpsensor processes run as root to overcome the NPU limitations for certain performance data collections. These processes are also started by the non-root control daemon so the suid root bit is needed. These processes however are world executable leaving them open to possible exploitation.

My idea is to restrict the default permissions for oacore and hpsensor set in a non-root mixed mode deployment to the same permissions as ovbbccb to reduce the security risk posed by these suid root binaries.  i.e.

-r-sr-x---. 1 root opcgrp   68424 May 7 2018 /opt/OV/bin/oacore
-r-sr-x---. 1 root opcgrp  595727 May 7 2018 /opt/OV/bin/ovbbccb
-r-sr-x---. 1 root opcgrp 7603036 Oct 8 2018 /opt/OV/hpcs/hpsensor

Tags (1)
2 Comments
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
Status changed to: Waiting for Votes

Hi ,

I undertsand the importance of this request.

For prioritizing , let me move this  into 'waiting for votes' status.


Thanks,

Cherian

Outstanding Contributor.. andreask Outstanding Contributor..
Outstanding Contributor..
In my personal opinion the whole non-root concept of the OA Agent is not user friendly. agent should be able to use sudo command to acquire root permissions when needed. this can be easily configured and dont need a lot of workarounds to access files with special permission or ports below 1024.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.