Date: Sat, 14 Dec 1996 12:18:21 -0800 (PST) From: Steve Reid <steve@edmweb.com> To: Christian Hochhold <vlad@dusk.net> Cc: freebsd-security@freebsd.org Subject: Re: questions... Message-ID: <Pine.BSF.3.91.961214120135.193A-100000@bitbucket.edmweb.com> In-Reply-To: <199612141931.PAA05834@eternal.dusk.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> The /sbin directory's ( as an example ) files seem to > be executable by anyone on the system. > I have changed a few of the files ( ie. dmesg ) > to be executable by root as well as > the bin group only. Only worry about files that are suid or sgid. Other binaries can't do anything that the user can't do. Removing the execute bit from non-suid/sgid binaries won't add any to security- a malicious user can create any non-suid/sgid file him/her self. Even if you remove gcc, the user could still FTP the files from ftp.cdrom.com. Removing FTP won't help either- clever use of redirection can allow a user to transfer whatever files they want over their own tty. Definately _do_ go through the list of suid/sgid files (use find) and remove the s bit from anything that users shouldn't need. Be wary of world-writable files, directories, and devices. It's also a good idea to disable anything in /etc/inetd.conf that you don't need. Principle of least privileges.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.961214120135.193A-100000>