From owner-freebsd-questions  Fri Nov  2  1:11:18 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from guru.mired.org (okc-65-31-203-60.mmcable.com [65.31.203.60])
	by hub.freebsd.org (Postfix) with SMTP id 053A937B405
	for <questions@FreeBSD.ORG>; Fri,  2 Nov 2001 01:11:16 -0800 (PST)
Received: (qmail 49788 invoked by uid 100); 2 Nov 2001 09:11:15 -0000
From: Mike Meyer <mwm@mired.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15330.25395.443874.862944@guru.mired.org>
Date: Fri, 2 Nov 2001 03:11:15 -0600
To: "Anthony Atkielski" <anthony@atkielski.com>
Cc: <questions@FreeBSD.ORG>
Subject: Re: Lockdown of FreeBSD machine directly on Net
In-Reply-To: <00d801c1637c$d3264640$0a00000a@atkielski.com>
References: <15330.23714.263323.466739@guru.mired.org>
	<00b501c1637b$1cd2f880$0a00000a@atkielski.com>
	<20011102095554.A38169@student.uu.se>
	<00d801c1637c$d3264640$0a00000a@atkielski.com>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Anthony Atkielski <anthony@atkielski.com> types:
> > This requires that the user you login as is
> > in the 'wheel' group.
> And if I add that user to wheel, does that open up any other holes?  Doesn't
> wheel have a lot of permissions on a lot of files?

It shouldn't. First, the only reason to put someone in group wheel is
to give them root access, which makes the point moot anyway. Second, a
lot of files belong to group wheel, the group privileges on them are
the same as for other users. Doing otherwise is a bad security
practice, as it means that someone who breaks into a wheel account can
change them without having to know the root password.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Q: How do you make the gods laugh?		A: Tell them your plans.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message