*BSD News Article 59299


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!spool.mu.edu!howland.reston.ans.net!newsfeed.internetmci.com!news.sprintlink.net!ns1.tstt.net.tt!news
From: feisal@tstt.net.tt (Feisal Mohammed)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: A Matter of Security
Date: Wed, 10 Jan 1996 22:46:02 GMT
Organization: University of the West Indies
Lines: 50
Message-ID: <4d1fi5$mc4@ns1.tstt.net.tt>
References: <4d0qav$9j0@gol2.gol.com>
Reply-To: feisal@tstt.net.tt
NNTP-Posting-Host: cuscon16s.tstt.net.tt
X-Newsreader: Forte Free Agent 1.0.82

Doug <doug@gol.com> wrote:

>Our system now allows members to make PPP connections via our new 
>Portmaster (which is working well, along with RADIUS, thanks to the help 
>of members of this group).

>But I also noticed that any user can now Telnet into our FreeBSD 
>machine.
You can stop this by giving the user a shell that exits immediately,
for example I created a one line script that prints "access denied"
then exits.

>What's more, because of the default settings, any user can roam around 
>and see almost everything, including most of the contents of /etc.

>Questions!

> Is this normal? Does everybody allow this?
Some do and some don't. The ISP whose system I setup wanted no telnets
from PPP/slip users hence the exiting shell. For termial users I
wipped up a menu that only allowed access to pine, lynx, gopher and
passwd and did not give access to the command line.

> As soon as I noticed this, I changed the permissions of /etc with the 
>command

>chmod og-wrx /etc

>so that members could not access that directory. Is that a reasonable 
>thing to do? Will it hurt any running processes?
Some programs need to read files in the /etc directory, why not
protect just sensitive data.

> Is there a way of disabling logins except for certain users?
The shell setup as above.

> Can a user wreak havoc with the system by creating huge files in their 
>home directory, creating and running programs, etc.?
For the setup here PPP/Slip users had no home directories and terminal
users has quotas set. I also set quotas on the mail spool since users
can easily get 1MB/day by subscribing to many lists.
BTW this was on a RS6000 box with AIX 3.2.5, I don't know how to set
quotas with FreeBSD should be the same though.




Department of Mechanical Engineering
University of the West Indies