*BSD News Article 59270


Return to BSD News archive

Newsgroups: comp.unix.bsd.freebsd.misc
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.ecn.uoknor.edu!news.cis.okstate.edu!news.ksu.ksu.edu!lazrus.cca.rockwell.com!yeager.cca.rockwell.com!dmphilli
From: dmphilli@yeager.cca.rockwell.com (Dean M. Phillips)
Subject: Re: A Matter of Security
X-Nntp-Posting-Host: yeager.cca.rockwell.com
Message-ID: <DKzCMx.JCF@lazrus.cca.rockwell.com>
Sender: news@lazrus.cca.rockwell.com
Organization: Rockwell
References: <4d0qav$9j0@gol2.gol.com>
Date: Wed, 10 Jan 1996 19:25:44 GMT
Lines: 64

In article <4d0qav$9j0@gol2.gol.com>, Doug  <doug@gol.com> wrote:
>Our system now allows members to make PPP connections via our new 
>Portmaster (which is working well, along with RADIUS, thanks to the help 
>of members of this group).
>
[snip]
>But I also noticed that any user can now Telnet into our FreeBSD 
>machine.
>
>What's more, because of the default settings, any user can roam around 
>and see almost everything, including most of the contents of /etc.
>
>Questions!
>
>o Is this normal? Does everybody allow this?
It is normal.  Some allow it, some don't.
>
>o As soon as I noticed this, I changed the permissions of /etc with the 
>command
>
>chmod og-wrx /etc
>
>so that members could not access that directory. Is that a reasonable 
>thing to do? Will it hurt any running processes?
It is not reasonable and will probably break some programs.  Do it on a
file-by-file basis after considering whether the information in the file
is truly privileged.  Most files containing privileged information (like
master.passwd) are already protected.
>
>o Is there a way of disabling logins except for certain users?
Yes.  Set their shell to something that does not accept commands.  I use a
program that looks something like this:

#include <stdio.h>
main()
{
    puts("Insert appropriate logins disabled message here.\n");
    sleep(10);
    exit(0);
}

Compile it, call it nullsh, put it in /usr/local/bin and then change the
shell of every user who you don't want logging in to /usr/local/bin/nullsh.
This will stop interactive logins, FTP and "su -m".
>
>o Can a user wreak havoc with the system by creating huge files in their 
>home directory, creating and running programs, etc.?
Yes.
>
>o What do other sysops do about this?
See above for one answer.  Some sysops allow interactive logins on a
restricted subset of machines, some on all.  Quotas are a requirement
on any machine that you do allow interactive logins on.  You may want
to hack login to check the (now unused) class field of master.passwd
and make appropriate adjustments to the hard process limits and
process priority.

Hope this helps.
[Rest of article deleted.]
-- 
---------------------------------------------------------------------------
Dean M. Phillips                        Internet: dmphilli@cca.rockwell.com
Design Enginer,                           Comnet: 435-8810
Flight Control Analysis                  AT&Tnet: 319-395-8810