From owner-freebsd-security Wed Aug 23 21: 7: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from ux11.cso.uiuc.edu (ux11.cso.uiuc.edu [128.174.5.105]) by hub.freebsd.org (Postfix) with ESMTP id 3E49437B424; Wed, 23 Aug 2000 21:06:56 -0700 (PDT) Received: from localhost by ux11.cso.uiuc.edu (8.10.1/8.10.1) with ESMTP id e7O46sO18556; Wed, 23 Aug 2000 23:06:55 -0500 (CDT) X-Authentication-Warning: ux11.cso.uiuc.edu: brueggma owned process doing -bs Date: Wed, 23 Aug 2000 23:06:54 -0500 (CDT) From: Eric Brueggmann X-Sender: brueggma@ux11.cso.uiuc.edu To: freebsd-isp@freebsd.org Cc: security@freebsd.org Subject: after "make world" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I try to keep my box up to date, and cvsup every week or so with cron. And make install world when ever there is a security alert. My question to the list is: What kind of scripts do shell server admins use after they make world? This question is in regaurds to permissions, suid, sgid, etc.. Do you upgrade often enough to even warrent a script like this? Below is a little script, of some of the stuff that I have collected over the past couple of weeks. Am I missing something? Thanks for the help, Eric Brueggmann Hobbiest P.S. Sorry for posting to 2 lists, I thought it pertained to both of `em. I know my spelling sucks.. =============================================================================== #!/bin/sh # Run this after a make world, for better security. chflags noschg /bin/* chflags noschg /usr/bin/* chflags noschg /sbin/* chflags noschg /usr/sbin/* chflags noschg /bin ; chflags noschg /sbin chflags noschg /usr/bin ; chflags noschg /usr/sbin cd /var/log; chmod g-w,o-r * ; chmod a+r wtmp echo "Edit /etc/rc.conf and change the kernellevel to 2" for i in ` find / -type f -perm -2000 | egrep -wv "lockfile" ` ; do chmod g-s $i ; done for i in ` find / -type f -perm -4000 | egrep -wv "man|login|passwd|su|ssh|sendmail|procmail|sudo|mail.local" ` ; do chmod u-s $i ; done for i in ` find / -type d -perm -002 | egrep -v "tmp" ` ; do chmod o-w $i ; done chmod 700 /root # cd to /home and chmod 700 every directory except "apache|newuser|ftp|?????" chflags schg /bin/* chflags schg /usr/bin/* chflags schg /sbin/* chflags schg /usr/sbin/* chflags schg /bin ; chflags schg /sbin chflags schg /usr/bin ; chflags schg /usr/sbin # To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message