MacWebHosting Configuration Quidance of Macintosh OS X Mac Hosting

Macintosh OS X Workstation STIG, V1R1

DISA Field Security Operations

15 June 2004

          Developed by DISA for the DOD

operating system, but unauthorized sgid programs present a security hazard.  The sgid bit only

affects executable programs.  When this attribute is set, the user executing the program has the

same privileges as the group owner of the program.  It is extremely important; therefore, that any

program that has the sgid bit set is of known origin and scope.  Programs with the sgid bit set

must never allow escapes to the command line.

Refer to the specific vendor's Mac OS X documentation for details concerning sgid.

Commercial and Government supplied applications may also supply programs with the sgid bit

set.  If so, then vendor/proponent instructions must be followed.  Where possible, require

vendor/proponent integrity statements that guarantee there are no back doors (such as shell

escapes) built into the applications.

The following command will identify all sgid programs on a system, producing a listing of the

owner and other pertinent information:

find /  type f  perm  2000  exec ls  ld {} \;

3.5.3  Sticky Bit

When the sticky bit is set on a directory, only the owner of a file within that directory, the owner

of the directory, or root may delete or change files in that directory.  The feature prevents users

from accidentally or maliciously deleting or changing files that could adversely affect the

operation of another user s applications or cause data corruption in another user s temporary files.

The setting is normally reserved for directories used by the system and by users for temporary

file storage (in /tmp, for instance) and for directories that require global read/write access.  Since

the public directory owner can change or delete any file within the public directory, all public

directories will be owned by root and the sticky bit will be set.  The group owner of all public

directories will be root, bin, sys, or the COTS/GOTS default.

(OSX1026GEN0087:  CAT III) The SA will ensure the sticky bit is set on all public

directories.

(OSX1026GEN0088:  CAT III) The SA will ensure the owner of public directories is root.

(OSX1026GEN0089:  CAT III) The SA will ensure the group owner of all public directories

is root, sys, bin, or the COTS/GOTS default.

3.6  Umask

The umask is a kernel variable that controls the file access permissions assigned to newly created

files and directories.  Data and program integrity, confidentiality, and availability are directly

affected by the system and user umask.  If the umask is too permissive, newly created files and

directories will be accessible to unauthorized and possibly malicious users.  If the umask is too

restrictive, applications may not function correctly.  Therefore, the umask is a critical component

of every user and system process.

UNCLASSIFIED





  
    
      

    
    Home
    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    
    
         Mac Web Hosting

    
    
    
      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved


Home	About	Services	Network	Support	FAQ	Order	Contact
Mac Web Hosting
Our partners:Jsp Web Hosting Unlimited Web Hosting Cheapest Web Hosting Java Web Hosting Web Templates Best Web Templates PHP Mysql Web Hosting Interland Web Hosting Cheap Web Hosting PHP Web Hosting Tomcat Web Hosting Quality Web Hosting Best Web Hosting Mac Web Hosting Lunarwebhost.net Business web hosting division of Vision Web Hosting Inc. All rights reserved