Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 26 Jun 1997 22:49:16 -0400 (EDT)
From:      Adam Shostack <adam@homeport.org>
To:        steve@edmweb.com (Steve)
Cc:        gfm@readybox.com, freebsd-security@FreeBSD.ORG
Subject:   Re: Minimum files for operation
Message-ID:  <199706270249.WAA12067@homeport.org>
In-Reply-To: <199706270133.SAA25974@kirk.edmweb.com> from Steve at "Jun 26, 97 06:33:50 pm"

next in thread | previous in thread | raw e-mail | index | archive | help

Steve wrote:
| > The security-related literature I've been through emphasizes the need
| > to secure the hosts themselves, partly through removing any unneeded
| > files.  (If you're running a mail hub, you probably don't need a C
| > compiler.  If you are providing only Web service with static pages,
| > you should remove the perl interpreter.  And so on.)
| 
| I wouldn't worry about such things. If someone has broken in to your
| system, they can upload the C compiler, Perl interpreter, and whatever
| else they need. Clever use of redirection is all it takes.

Uploading a C compiler or perl involves a lot of disk space and
effort.   Removing servers, daemons, and other things is clearly
worthwhile.  I think there's a win in removing uname and other things,
and making your attacker go through some effort.  (assuming that you
go through less.)

Steve's other advice about removing set*id stuff is very good.  Its
also worth mounting most disks nosetuid/nodev.

Adam

| What you _should_ worry about are the privileged programs that are
| set-UID or set-GID. FreeBSD (2.1-stable at least, probably most or all
| other versions) has a "security" script that runs every night and
| places a list of all suid programs and devices in /var/log/setuid.today
| It would be a good idea to look at that list and then use chmod to
| remove the suid bit from programs that you don't need. You may also
| need to use chflags to remove the schg (immutable) flag before chmod.


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706270249.WAA12067>