Date: Mon, 16 Nov 1998 15:32:54 -0600 From: William McVey <wam@sa.fedex.com> To: freebsd-security@FreeBSD.ORG Subject: Another security suggestion (group nospace) Message-ID: <199811162133.PAA12125@s07.sa.fedex.com>
next in thread | raw e-mail | index | archive | help
I've added a "nospace" group (I user gid 57) to my system and have changed all "world writeable" directories (/tmp /var/tmp /usr/tmp etc) to mode 1707, grouped to 'nospace'. I then put my 'www', 'tftp', 'smtp', 'daemon', 'nobody' and other untrusted daemon ids into group nospace, effectivly shutting these ids off from writing onto the filesystem. Some of these daemons (like smtp) require the ability to write to the filesystem (queue files, etc); however, most don't. For example, this helps keeps any potential compromise of my web server id from spreading into a root compromise. -- William P.S. If you do this, be sure to change /usr/libexec/locate.updatedb, which by default has user 'nobody' writing files in /tmp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811162133.PAA12125>