From owner-freebsd-security Tue Oct 2 8:24:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from hermes.intergate.ca (hermes.intergate.ca [207.34.179.108]) by hub.freebsd.org (Postfix) with SMTP id 76B6837B408 for ; Tue, 2 Oct 2001 08:24:41 -0700 (PDT) Received: (qmail 89958 invoked by uid 1007); 2 Oct 2001 15:57:11 -0000 Received: from landons@uniserve.com by hermes.intergate.ca with qmail-scanner-0.93 (uvscan: v4.0.50/v4163. . Clean. Processed in 0.638771 secs); 02/10/2001 08:57:11 Received: from landons.vpp-office.uniserve.ca (HELO pirahna.uniserve.com) (216.113.198.10) by hermes.intergate.ca with SMTP; 2 Oct 2001 15:57:10 -0000 Message-Id: <5.1.0.14.0.20011002081912.03753c00@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 02 Oct 2001 08:24:38 -0700 To: "default" , , From: Landon Stewart Subject: Re: file permission question In-Reply-To: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_1722692120==_.ALT" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=====================_1722692120==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 11:13 PM 10/1/2001 -0500, default wrote: >Hi, > >I am allowing a couple of ppl to have a shell account on one of my machines, >and I am making a few changes to disallow them from using certain things... Firstly, don't just chmod them, chown them with an alternate group like (staff) and then chmod them to 750 or something. Some utilities require the suid bit so make sure you check if the binary is suid before you chmod it and then include the suid bit if necissary (WARNING: failure to do this could lock you out of your own system). >like chmoding the 'ps' command to 550 etc... Rather than getting rid of the 'ps' command, let them see their own processes only by putting 'kern.ps_showallprocs=0' in your /etc/sysctl.conf file If you don't want to reboot for it to take effect just run "sysctl kern.ps_showallprocs=0" >I wanted to ask, is there any reason why one wouldn't want to chmod to 640 >the passwd file and other similar files? ... Many utilities that does not run as root or wheel require passwd file information (but not master.passwd file, which is where the important stuff is). For instance, apache requires it to figure out where home directories are when someone uses the http://www.domain.com/~username --- Landon Stewart --=====================_1722692120==_.ALT Content-Type: text/html; charset="us-ascii" At 11:13 PM 10/1/2001 -0500, default wrote:
Hi,

I am allowing a couple of ppl to have a shell account on one of my machines,
and I am making a few changes to disallow them from using certain things...

Firstly, don't just chmod them, chown them with an alternate group like (staff) and then chmod them to 750 or something.  Some utilities require the suid bit so make sure you check if the binary is suid before you chmod it and then include the suid bit if necissary (WARNING: failure to do this could lock you out of your own system).

like chmoding the 'ps' command to 550 etc...

Rather than getting rid of the 'ps' command, let them see their own processes only by putting 'kern.ps_showallprocs=0' in your /etc/sysctl.conf file

If you don't want to reboot for it to take effect just run "sysctl kern.ps_showallprocs=0"

I wanted to ask, is there any reason why one wouldn't want to chmod to 640
the passwd file and other similar files? ...

Many utilities that does not run as root or wheel require passwd file information (but not master.passwd file, which is where the important stuff is).  For instance, apache requires it to figure out where home directories are when someone uses the http://www.domain.com/~username

---
Landon Stewart
 --=====================_1722692120==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message