*BSD News Article 59548


Return to BSD News archive

Newsgroups: comp.unix.bsd.freebsd.misc
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.uwa.edu.au!DIALix!melbourne.DIALix.oz.au!seeware!mark
From: mark@seeware.DIALix.oz.au (Mark Hannon)
Subject: Re: A Matter of Security
Organization: Private FreeBSD site
Message-ID: <DL40v3.7qo@seeware.DIALix.oz.au>
References: <4d0qav$9j0@gol2.gol.com>
Date: Sat, 13 Jan 1996 07:59:25 GMT
Lines: 53

Doug (doug@gol.com) wrote:
: Our system now allows members to make PPP connections via our new 
: Portmaster (which is working well, along with RADIUS, thanks to the help 
: of members of this group).

: I noticed that unless I created a user account on the FreeBSD machine 
: for a user, he or she could not receive email. Well, that makes sense.

: But I also noticed that any user can now Telnet into our FreeBSD 
: machine.

You should be able to block this by setting the user's shell to /sbin/nologin.

: What's more, because of the default settings, any user can roam around 
: and see almost everything, including most of the contents of /etc.

: Questions!

: o Is this normal? Does everybody allow this?

Is this a problem?  Normal users shouldn't be able to write anything here
so there is no real problem (and the sensistive files aren't readable by
non-root)

: o As soon as I noticed this, I changed the permissions of /etc with the 
: command

: chmod og-wrx /etc

: so that members could not access that directory. Is that a reasonable 
: thing to do? Will it hurt any running processes?

Don't know - better to leave it is was.

: o Is there a way of disabling logins except for certain users?

See above

: o Can a user wreak havoc with the system by creating huge files in their 
: home directory, creating and running programs, etc.?

If you are worried about this then turn quota's on.  See the manpages.

/mark




-- 
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
| Mark Hannon,| FreeBSD - Free Unix for your PC| mark@seeware.DIALix.oz.au|
| Melbourne,  | PGP key available by fingering | epamha@epa.ericsson.se   |
| Australia   | seeware@melbourne.DIALix.oz.au |                          |