From owner-freebsd-security Fri Aug 25 7:19:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from laemail.bankofamerica.com (laemail.bankofamerica.com [171.161.96.14]) by hub.freebsd.org (Postfix) with ESMTP id 06BD837B440 for ; Fri, 25 Aug 2000 07:19:32 -0700 (PDT) Received: from laimail.bankofamerica.com (laimail.bankofamerica.com [171.182.104.13]) by laemail.bankofamerica.com (8.9.1/8.9.1) with ESMTP id HAA15152 for ; Fri, 25 Aug 2000 07:19:26 -0700 (PDT) From: mike.sellenschuetter@bankofamerica.com Received: from smtpsw02 (smtpsw02.bankofamerica.com [165.37.204.30]) by laimail.bankofamerica.com (8.9.1/8.9.1) with ESMTP id HAA24594 for ; Fri, 25 Aug 2000 07:19:26 -0700 (PDT) Message-Id: <200008251419.HAA24594@laimail.bankofamerica.com> Date: Fri, 25 Aug 2000 09:19:06 -0500 Subject: Sup To: freebsd-security@FreeBSD.ORG MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear All, We have a small system consisting of about 14 servers and 30 workstations. All servers and workstations are running FreeBSD 2.2.6 (we are going to upgrade to 4.0 or 4.1 sometime soon, hopefully this fall). While adding files to one of the collections in the repository on the sup server, I had a problem with getting one of the files to distribute to the clients. After talking with the vendor who integrated the system, they told me that all files in the repository on the sup server had to be world readable before the files would be distributed to the clients. Indeed, after I changed the permissions on this file, it did distribute to the clients the next time the sup process was run. I have two questions. First, is it true that all files have to be world readable (644) in the repository on the sup server before sup will work properly? I did not see that in the man pages for sup or supfilesrv. We have sensitive files (in addition to master.passwd, group, sudoers, etc) in several of the collections on the sup server, and if our Audit department finds out that these files are world readable, they are going to do a thorough job of making my life miserable. My second question is how can I tighten the permissions (or otherwise tighten security) on these files in the repository without adversely affecting the sup process? Thank you in advance for any advice that you can give me. Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message