Date: Thu, 26 Jun 1997 18:33:50 -0700 From: Steve <steve@edmweb.com> To: Frank McCormick <gfm@readybox.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Minimum files for operation Message-ID: <199706270133.SAA25974@kirk.edmweb.com> In-Reply-To: Your message of "Thu, 26 Jun 1997 17:29:46 PDT." <199706270029.RAA12178@angel.readybox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> The security-related literature I've been through emphasizes the need > to secure the hosts themselves, partly through removing any unneeded > files. (If you're running a mail hub, you probably don't need a C > compiler. If you are providing only Web service with static pages, > you should remove the perl interpreter. And so on.) I wouldn't worry about such things. If someone has broken in to your system, they can upload the C compiler, Perl interpreter, and whatever else they need. Clever use of redirection is all it takes. What you _should_ worry about are the privileged programs that are set-UID or set-GID. FreeBSD (2.1-stable at least, probably most or all other versions) has a "security" script that runs every night and places a list of all suid programs and devices in /var/log/setuid.today It would be a good idea to look at that list and then use chmod to remove the suid bit from programs that you don't need. You may also need to use chflags to remove the schg (immutable) flag before chmod. There was a post to this list briefly explaining the functions of most of the suid programs... Check the archives for a message from Marc Slemko, subject "setuid programs in freebsd".
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706270133.SAA25974>