Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 Aug 2000 23:06:54 -0500 (CDT)
From:      Eric Brueggmann <brueggma@students.uiuc.edu>
To:        freebsd-isp@freebsd.org
Cc:        security@freebsd.org
Subject:   after "make world"
Message-ID:  <Pine.GSO.4.10.10008232251410.13167-100000@ux11.cso.uiuc.edu>

next in thread | raw e-mail | index | archive | help

Hello,

	I try to keep my box up to date, and cvsup every week or so with
cron.  And make install world when ever there is a security alert.  My
question to the list is:  What kind of scripts do shell server admins use
after they make world?  This question is in regaurds to permissions, suid,
sgid, etc..  Do you upgrade often enough to even warrent a script like
this?  Below is a little script, of some of the stuff that I have
collected over the past couple of weeks.  Am I missing something?


					Thanks for the help,
					Eric Brueggmann
					Hobbiest


P.S.  Sorry for posting to 2 lists, I thought it pertained to both of `em.
      I know my spelling sucks..

===============================================================================


#!/bin/sh

#  Run this after a make world, for better security.

chflags noschg /bin/*
chflags noschg /usr/bin/*
chflags noschg /sbin/*
chflags noschg /usr/sbin/*
chflags noschg /bin ; chflags noschg /sbin
chflags noschg /usr/bin ; chflags noschg /usr/sbin
cd /var/log; chmod g-w,o-r * ; chmod a+r wtmp


echo "Edit /etc/rc.conf and change the kernellevel to 2"


for i in ` find / -type f -perm -2000 | egrep -wv  "lockfile" ` ; do chmod g-s $i ; done

for i in ` find / -type f -perm -4000 | egrep -wv "man|login|passwd|su|ssh|sendmail|procmail|sudo|mail.local" ` ; do chmod u-s $i ; done

for i in ` find / -type d -perm -002 | egrep -v  "tmp" ` ; do chmod o-w $i ; done

chmod 700 /root
# cd to /home and chmod 700 every directory except "apache|newuser|ftp|?????"


chflags schg /bin/*
chflags schg /usr/bin/*
chflags schg /sbin/*
chflags schg /usr/sbin/*
chflags schg /bin ; chflags schg /sbin
chflags schg /usr/bin ; chflags schg /usr/sbin

#



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.10008232251410.13167-100000>