Date: Thu, 17 Jun 1999 21:47:51 -0500 (CDT) From: Joe Greco <jgreco@ns.sol.net> To: terry@program-products.co.uk (Terry Glanfield) Cc: security@freebsd.org Subject: Re: some nice advice.... Message-ID: <199906180247.VAA06621@aurora.sol.net> In-Reply-To: <eso7qa4ut.fsf@program-products.co.uk> from Terry Glanfield at "Jun 17, 1999 10:34:34 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> jgreco@ns.sol.net (Joe Greco) writes: > > chmod 111 /usr/bin/uucp > > ... > > chmod 111 /usr/bin/at > > ... > > chmod 111 /usr/bin/ypchpass > etc. > > What not "chmod 0" most of these and be done with it? There is little point in chmod'ding an executable to 0 on a free OS where the executables can be retrieved from any convenient FTP site. In fact, some utilities may retain their usefulness in some lesser manner... or you may wish to run them as root... or for example, doing a chmod 0 on /usr/bin/login may not be too slick. You want to remove the privilege. That's all, really. Otherwise you get into the slippery slope of "why don't you chmod 0 this other random non-suid executable that nobody on this system will ever need", and that wasn't the point. The point was to remove likely security holes opened by suid or sgid executables on application-server-platform class machines where no "normal user" would lose by being unable to run them, and then applying some really mean-ass schg flags. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906180247.VAA06621>