Return to BSD News archive
Newsgroups: comp.unix.bsd.freebsd.misc Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.ecn.uoknor.edu!news.cis.okstate.edu!news.ksu.ksu.edu!lazrus.cca.rockwell.com!yeager.cca.rockwell.com!dmphilli From: dmphilli@yeager.cca.rockwell.com (Dean M. Phillips) Subject: Re: A Matter of Security X-Nntp-Posting-Host: yeager.cca.rockwell.com Message-ID: <DKzCMx.JCF@lazrus.cca.rockwell.com> Sender: news@lazrus.cca.rockwell.com Organization: Rockwell References: <4d0qav$9j0@gol2.gol.com> Date: Wed, 10 Jan 1996 19:25:44 GMT Lines: 64 In article <4d0qav$9j0@gol2.gol.com>, Doug <doug@gol.com> wrote: >Our system now allows members to make PPP connections via our new >Portmaster (which is working well, along with RADIUS, thanks to the help >of members of this group). > [snip] >But I also noticed that any user can now Telnet into our FreeBSD >machine. > >What's more, because of the default settings, any user can roam around >and see almost everything, including most of the contents of /etc. > >Questions! > >o Is this normal? Does everybody allow this? It is normal. Some allow it, some don't. > >o As soon as I noticed this, I changed the permissions of /etc with the >command > >chmod og-wrx /etc > >so that members could not access that directory. Is that a reasonable >thing to do? Will it hurt any running processes? It is not reasonable and will probably break some programs. Do it on a file-by-file basis after considering whether the information in the file is truly privileged. Most files containing privileged information (like master.passwd) are already protected. > >o Is there a way of disabling logins except for certain users? Yes. Set their shell to something that does not accept commands. I use a program that looks something like this: #include <stdio.h> main() { puts("Insert appropriate logins disabled message here.\n"); sleep(10); exit(0); } Compile it, call it nullsh, put it in /usr/local/bin and then change the shell of every user who you don't want logging in to /usr/local/bin/nullsh. This will stop interactive logins, FTP and "su -m". > >o Can a user wreak havoc with the system by creating huge files in their >home directory, creating and running programs, etc.? Yes. > >o What do other sysops do about this? See above for one answer. Some sysops allow interactive logins on a restricted subset of machines, some on all. Quotas are a requirement on any machine that you do allow interactive logins on. You may want to hack login to check the (now unused) class field of master.passwd and make appropriate adjustments to the hard process limits and process priority. Hope this helps. [Rest of article deleted.] -- --------------------------------------------------------------------------- Dean M. Phillips Internet: dmphilli@cca.rockwell.com Design Enginer, Comnet: 435-8810 Flight Control Analysis AT&Tnet: 319-395-8810