From owner-freebsd-security Mon Oct 1 21:35:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 3CA4F37B40D for ; Mon, 1 Oct 2001 21:35:05 -0700 (PDT) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f924ZC291249 for ; Tue, 2 Oct 2001 00:35:12 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 2 Oct 2001 00:35:07 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: file permission question In-Reply-To: Message-ID: <20011002003111.D90494-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 1 Oct 2001, default wrote: > Hi, > > I am allowing a couple of ppl to have a shell account on one of my machines, > and I am making a few changes to disallow them from using certain things... > like chmoding the 'ps' command to 550 etc... ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Why? "ps" can be a valuable diagnostic tool--even for (l)users. Quite a few things can break without being able to access it; e.g., any script that relies upon ps to monitor the health of a running process. > I wanted to ask, is there any reason why one wouldn't want to chmod to 640 > the passwd file and other similar files? ... Uh, because any userland process that calls getpwent() or getgrent() will fail to run? -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message