From owner-freebsd-security Thu Jun 17 19:47:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id 3AEB0155D7 for ; Thu, 17 Jun 1999 19:47:55 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id VAA06621; Thu, 17 Jun 1999 21:47:51 -0500 (CDT) From: Joe Greco Message-Id: <199906180247.VAA06621@aurora.sol.net> Subject: Re: some nice advice.... In-Reply-To: from Terry Glanfield at "Jun 17, 1999 10:34:34 pm" To: terry@program-products.co.uk (Terry Glanfield) Date: Thu, 17 Jun 1999 21:47:51 -0500 (CDT) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > jgreco@ns.sol.net (Joe Greco) writes: > > chmod 111 /usr/bin/uucp > > ... > > chmod 111 /usr/bin/at > > ... > > chmod 111 /usr/bin/ypchpass > etc. > > What not "chmod 0" most of these and be done with it? There is little point in chmod'ding an executable to 0 on a free OS where the executables can be retrieved from any convenient FTP site. In fact, some utilities may retain their usefulness in some lesser manner... or you may wish to run them as root... or for example, doing a chmod 0 on /usr/bin/login may not be too slick. You want to remove the privilege. That's all, really. Otherwise you get into the slippery slope of "why don't you chmod 0 this other random non-suid executable that nobody on this system will ever need", and that wasn't the point. The point was to remove likely security holes opened by suid or sgid executables on application-server-platform class machines where no "normal user" would lose by being unable to run them, and then applying some really mean-ass schg flags. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message