From owner-freebsd-security Wed Jul 30 12:05:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA25403 for security-outgoing; Wed, 30 Jul 1997 12:05:00 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA25393 for ; Wed, 30 Jul 1997 12:04:54 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id PAA21876; Wed, 30 Jul 1997 15:00:01 -0400 (EDT) From: Adam Shostack Message-Id: <199707301900.PAA21876@homeport.org> Subject: Re: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: <199707301450.JAA25877@shift-f1.com> from Shashi Joshi at "Jul 30, 97 09:50:56 am" To: shashi@shift-f1.com (Shashi Joshi) Date: Wed, 30 Jul 1997 15:00:01 -0400 (EDT) Cc: molter@logic.it, vince@mail.MCESTATE.COM, security@FreeBSD.ORG, mario1@PrimeNet.Com X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Guy Helmer is working on a paper on exactly this topic. Perhaps he could post a pointer to his current draft? Adam | Exactly my thoughts. So, do we get a checklist or reference list from the | gurus? | | I am also a bit new to the sys admin duties. I have | taken the time to read the FreeBSD book that came with the CD (which | doesn't help much in the security area), read a UNIX sysadmin book (Nemeth, | Snyder etc the Red Book) but it too has its limitations. | | We don't have external user logins, so the risks are much less, but I would | always like to learn because soon we will be "out there". | | Another netter mentioned about FreeBSD should ship with some documentation, | scripts that tell us (about the system files and directories) what are the | files associated with "feature" A or "service" B (e.g. uucp), which files | need to be setuid for what functionality. | | Here is an example. (I know you gurus will laugh, but it was my 3rd day only). | | Realizing that sbin dirs are for sysadmin related files, I made the */sbin | as -r-xr-x--- and group being wheel or bin as appropriate. | Now, after a few weeks!! I realised that I am not able to send out any | mail. I had been receiving mail like anything, my elm session also didn't | complain when I sent out email. Finally I checked the logs and found | nothing, not a trace of a mail sent out. So I checked to see `which | sendmail` and it was /usr/sbin/sendmail | So I had to give r-x permissions to it to the world. | | Now why would sendmail be in sbin when it is not purely a sysadmin tool | only? | | My point? Having a document or a checklist would be real helpful to newbies | and can serve as a quick reference for the gurus. | | regards, | | -- | Shashi Joshi | -- "It is seldom that liberty of any kind is lost all at once." -Hume