Date: Sat, 27 Jan 1996 23:19:25 +0100 (MET) From: J Wunsch <j@uriah.heep.sax.de> To: dhawk@netcom.com (David H) Cc: bugs@freebsd.org Subject: Re: Not Exactly a Bug, but a Crack Message-ID: <199601272219.XAA24872@uriah.heep.sax.de> In-Reply-To: <199601272046.MAA28965@netcom13.netcom.com> from "David H" at Jan 27, 96 12:46:07 pm
next in thread | previous in thread | raw e-mail | index | archive | help
As David H wrote: > > I check COPS and got the same three items it reported in November > and December: > 1. doesn't like the 'toor' account (second root account), Hmmm. Well, at least, it's disabled. Whether or not multiple UID 0 accounts are a security hole or not is a matter of taste. I usually don't use `root' at all, except that it is there so the files will belong to user `root'. > 2. /etc/security is readable (but only to group wheel), and I don't think group wheel is much to care. It's a compromise. With an /etc/security readable to group wheel, the potential adminst have less need to acutally `su' since they can have a look at the file without. > 3. /var/spool/uucppublic is world-writeable (but nobody's written to > it). It's supposed to. User uucp writes there (incoming uucp job), and the destination user is supposed to be able to read and delete the file there. (Or vica verse.) -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601272219.XAA24872>