From owner-freebsd-security Tue Feb 29 11:44:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id BC6DF37BDAA for ; Tue, 29 Feb 2000 11:44:23 -0800 (PST) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id NAA25753; Tue, 29 Feb 2000 13:43:43 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-103.max1.wa.cyberlynk.net(207.227.118.103) by peak.mountin.net via smap (V1.3) id sma025751; Tue Feb 29 13:43:36 2000 Message-Id: <3.0.3.32.20000229134214.00804590@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 29 Feb 2000 13:42:14 -0600 To: Andrey Novikov , freebsd-security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: schg flag In-Reply-To: <00022921443000.05868@novikov.web2000.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:40 PM 2/29/00 +0300, Andrey Novikov wrote: >Hello, > >It seems to me that it will be more secure for my >public server to say at least: > >chflags schg /bin/* >chflags schg /sbin/* >chflags schg /usr/bin/* >chflags schg /usr/sbin/* >chflags schg /usr/local/bin/* >chflags schg /usr/local/sbin/* > >to prevent any troyans in my system binaries, am I wrong? >Would it confuse future makeworlds on that system? Prevent trojans, depends. Makeworld, no. Installworld, yes. Without getting into an often discussed topic, you forgot some dirs and should consider "ro" flags for mounting /usr and a higher securelevel. Also moving services to other servers that do not allow telnet/ssh. Many paths. Read up and choose one. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message