From owner-freebsd-security  Mon Nov 16 13:34:13 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA16455
          for freebsd-security-outgoing; Mon, 16 Nov 1998 13:34:13 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mx1.dmz.fedex.com (mx1.dmz.fedex.com [199.81.194.37])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA16306
          for <freebsd-security@freebsd.org>; Mon, 16 Nov 1998 13:34:02 -0800 (PST)
          (envelope-from wam@mohawk.dpd.fedex.com)
Received: from mx2.zmd.fedex.com (sendmail@mx2.zmd.fedex.com [199.82.159.11])
	by mx1.dmz.fedex.com (8.9.1/8.9.1) with ESMTP id PAA28138
	for <freebsd-security@freebsd.org>; Mon, 16 Nov 1998 15:33:36 -0600 (CST)
Received: from s07.sa.fedex.com (root@s07.sa.fedex.com [199.81.124.17])
	by mx2.zmd.fedex.com (8.9.1/8.9.1) with ESMTP id PAA05712
	for <freebsd-security@freebsd.org>; Mon, 16 Nov 1998 15:33:27 -0600 (CST)
Received: from mohawk.dpd.fedex.com (mohawk.dpd.fedex.com [199.81.74.121])
	by s07.sa.fedex.com (8.9.1/8.9.1) with SMTP id PAA12125
	for <freebsd-security@freebsd.org>; Mon, 16 Nov 1998 15:33:26 -0600 (CST)
Message-Id: <199811162133.PAA12125@s07.sa.fedex.com>
To: freebsd-security@FreeBSD.ORG
Subject: Another security suggestion (group nospace)
Organization: Federal Express Data Protection Distributed Projects
Date: Mon, 16 Nov 1998 15:32:54 -0600
From: William McVey <wam@sa.fedex.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I've added a "nospace" group (I user gid 57) to my system and have
changed all "world writeable" directories (/tmp /var/tmp /usr/tmp
etc) to mode 1707, grouped to 'nospace'.  I then put my 'www',
'tftp', 'smtp', 'daemon', 'nobody' and other untrusted daemon ids
into group nospace, effectivly shutting these ids off from writing
onto the filesystem.  Some of these daemons (like smtp) require
the ability to write to the filesystem (queue files, etc); however,
most don't.  For example, this helps keeps any potential compromise
of my web server id  from spreading into a root compromise.

  -- William

P.S.  If you do this, be sure to change /usr/libexec/locate.updatedb,
which by default has user 'nobody' writing files in /tmp.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message