Date: Tue, 02 Oct 2001 08:24:38 -0700 From: Landon Stewart <landons@uniserve.com> To: "default" <default013subscriptions@hotmail.com>, <freebsd-security@freebsd.org>, <freebsd-questions@freebsd.org> Subject: Re: file permission question Message-ID: <5.1.0.14.0.20011002081912.03753c00@pop.uniserve.com> In-Reply-To: <OE726OJi57n6Hj1yNrU00004304@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=====================_1722692120==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 11:13 PM 10/1/2001 -0500, default wrote: >Hi, > >I am allowing a couple of ppl to have a shell account on one of my machines, >and I am making a few changes to disallow them from using certain things... Firstly, don't just chmod them, chown them with an alternate group like (staff) and then chmod them to 750 or something. Some utilities require the suid bit so make sure you check if the binary is suid before you chmod it and then include the suid bit if necissary (WARNING: failure to do this could lock you out of your own system). >like chmoding the 'ps' command to 550 etc... Rather than getting rid of the 'ps' command, let them see their own processes only by putting 'kern.ps_showallprocs=0' in your /etc/sysctl.conf file If you don't want to reboot for it to take effect just run "sysctl kern.ps_showallprocs=0" >I wanted to ask, is there any reason why one wouldn't want to chmod to 640 >the passwd file and other similar files? ... Many utilities that does not run as root or wheel require passwd file information (but not master.passwd file, which is where the important stuff is). For instance, apache requires it to figure out where home directories are when someone uses the http://www.domain.com/~username --- Landon Stewart --=====================_1722692120==_.ALT Content-Type: text/html; charset="us-ascii" <html> At 11:13 PM 10/1/2001 -0500, default wrote:<br> <blockquote type=cite class=cite cite>Hi,<br><br> I am allowing a couple of ppl to have a shell account on one of my machines,<br> and I am making a few changes to disallow them from using certain things...</blockquote><br> Firstly, don't just chmod them, chown them with an alternate group like (staff) and then chmod them to 750 or something. Some utilities require the suid bit so make sure you check if the binary is suid before you chmod it and then include the suid bit if necissary (WARNING: failure to do this could lock you out of your own system).<br><br> <blockquote type=cite class=cite cite>like chmoding the 'ps' command to 550 etc...</blockquote><br> Rather than getting rid of the 'ps' command, let them see their own processes only by putting 'kern.ps_showallprocs=0' in your /etc/sysctl.conf file <br><br> If you don't want to reboot for it to take effect just run "sysctl kern.ps_showallprocs=0"<br><br> <blockquote type=cite class=cite cite>I wanted to ask, is there any reason why one wouldn't want to chmod to 640<br> the passwd file and other similar files? ...</blockquote><br> Many utilities that does not run as root or wheel require passwd file information (but not master.passwd file, which is where the important stuff is). For instance, apache requires it to figure out where home directories are when someone uses the <a href="http://www.domain.com/~username" eudora="autourl">http://www.domain.com/~username</a><br><br>; <x-sigsep><p></x-sigsep> <tt><font face="Courier New, Courier" color="#800080">---<br> </font><font face="Courier New CE, Courier" color="#0000FF">Landon Stewart<br> </font></html> --=====================_1722692120==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011002081912.03753c00>