From owner-freebsd-security Wed Jul 30 07:09:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA03031 for security-outgoing; Wed, 30 Jul 1997 07:09:01 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA03026 for ; Wed, 30 Jul 1997 07:08:59 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id HAA13960; Wed, 30 Jul 1997 07:08:04 -0700 (PDT) Date: Wed, 30 Jul 1997 07:08:04 -0700 (PDT) From: Vincent Poy To: Shashi Joshi cc: Marco Molteni , security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: <199707301450.JAA25877@shift-f1.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 30 Jul 1997, Shashi Joshi wrote: =)As Marco Molteni said -> =) =)> Do you think one can be a newcomer as an administrator, but _has_ to know =)> everything about security before he starts to work? Come on! =) =) =)Exactly my thoughts. So, do we get a checklist or reference list from the =)gurus? =) =)I am also a bit new to the sys admin duties. I have =)taken the time to read the FreeBSD book that came with the CD (which =)doesn't help much in the security area), read a UNIX sysadmin book (Nemeth, =)Snyder etc the Red Book) but it too has its limitations. I wish I had access to the FreeBSD book since I've been looking for one at different places in the Bay Area and they didn't have anything but the CD itself. =)We don't have external user logins, so the risks are much less, but I would =)always like to learn because soon we will be "out there". I'm sure that in the future, people will find all sorts of ways to break in to systems not via user logins but via ports or daemons. =)Another netter mentioned about FreeBSD should ship with some documentation, =)scripts that tell us (about the system files and directories) what are the =)files associated with "feature" A or "service" B (e.g. uucp), which files =)need to be setuid for what functionality. =) =)Here is an example. (I know you gurus will laugh, but it was my 3rd day =)only). =) =)Realizing that sbin dirs are for sysadmin related files, I made the */sbin =)as -r-xr-x--- and group being wheel or bin as appropriate. =)Now, after a few weeks!! I realised that I am not able to send out any =)mail. I had been receiving mail like anything, my elm session also didn't =)complain when I sent out email. Finally I checked the logs and found =)nothing, not a trace of a mail sent out. So I checked to see `which =)sendmail` and it was /usr/sbin/sendmail =)So I had to give r-x permissions to it to the world. =) =)Now why would sendmail be in sbin when it is not purely a sysadmin tool =)only? Good question but sendmail is a daemon that only root or the system should run I guess. =)My point? Having a document or a checklist would be real helpful to newbies =)and can serve as a quick reference for the gurus. Good point indeed. I had been thinking about this hack, would it have been possible for the hacker to have ran perl.003 and then snatched the master.passwd file and then cracked it? Also, about the crc check, isn't the /etc/daily script supposed to compare files and do a security check already? Another point I want to make is that for one reason or another, 2.1.7.1R and previous versions were more strict on the password than 2.1R and 2.2.2R is. I have verified this with freshly installed boxes. On a 2.1.7.1R and older box, if you tried to su and the root password was 1234567890, you had to enter it as 1234567890 or else it won't work and say Sorry! On 2.1R, 2.2.2R and -CURRENT, I can enter 1234567890, 1234567891, 1234567892, etc. and it will still give me root access. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]