From owner-freebsd-isp  Fri Sep 15  1:41:45 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194])
	by hub.freebsd.org (Postfix) with ESMTP id A0EAE37B43C
	for <freebsd-isp@freebsd.org>; Fri, 15 Sep 2000 01:41:40 -0700 (PDT)
Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1)
	id 13Zr3s-0009rd-00; Fri, 15 Sep 2000 10:41:32 +0200
Date: Fri, 15 Sep 2000 10:41:32 +0200
From: Neil Blakey-Milner <nbm@mithrandr.moria.org>
To: Mike <mike@mikesweb.com>
Cc: freebsd-isp@FreeBSD.ORG
Subject: Re: one more for ya..
Message-ID: <20000915104132.B37827@mithrandr.moria.org>
References: <4.3.2.7.2.20000914211042.0f6f5718@mail.mikesweb.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <4.3.2.7.2.20000914211042.0f6f5718@mail.mikesweb.com>; from mike@mikesweb.com on Thu, Sep 14, 2000 at 09:12:39PM -0400
Organization: Sunesi Clinical Systems
X-Operating-System: FreeBSD 3.3-RELEASE i386
X-URL: http://rucus.ru.ac.za/~nbm/
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu 2000-09-14 (21:12), Mike wrote:
> one more "stupid" question for ya.. hehe.. which of these NEED to be suid 
> to run right?
> And do I NEED the uucp stuff?

Probably not.

> -r-sr-xr-x    1 uucp   wheel     87984 Jul 30 00:46 /usr/bin/uucp
> -r-sr-xr-x    1 uucp   wheel     37100 Jul 30 00:46 /usr/bin/uuname
> -r-sr-sr-x    1 uucp   dialer    96540 Jul 30 00:46 /usr/bin/uustat
> -r-sr-xr-x    1 uucp   wheel     88600 Jul 30 00:46 /usr/bin/uux

No particular reason to worry about the above, just chmod 0 them for
paranoia.

> -r-sr-xr-x    1 man    wheel     28304 Jul 30 00:47 /usr/bin/man

Could use sgid man and gid-man owned-and-writeable catx directories.

> -r-sr-xr-x    6 root   wheel     31972 Jul 30 00:49 /usr/bin/chpass
> -r-sr-xr-x    6 root   wheel     31972 Jul 30 00:49 /usr/bin/chfn
> -r-sr-xr-x    6 root   wheel     31972 Jul 30 00:49 /usr/bin/chsh
> -r-sr-xr-x    6 root   wheel     31972 Jul 30 00:49 /usr/bin/ypchpass
> -r-sr-xr-x    6 root   wheel     31972 Jul 30 00:49 /usr/bin/ypchfn
> -r-sr-xr-x    6 root   wheel     31972 Jul 30 00:49 /usr/bin/ypchsh

These are required if you want users to be able to change their account
information (shell, &c.).

> -r-sr-x---    1 root   wheel       510 Jul 30 00:49 /usr/bin/keyinfo
> -r-sr-x---    1 root   wheel      7232 Jul 30 00:49 /usr/bin/keyinit

This is for opie.

> -r-sr-x---    1 root   wheel      6792 Jul 30 00:49 /usr/bin/lock

Only needed for reading the root and/or user password to unlock a
terminal - user if using lock -p.  (What sane person types in the root
password to unlock a terminal when another user ran the command?)

> -r-sr-xr-x    1 root   wheel     19556 Jul 30 00:49 /usr/bin/login

Not incredibly sure about this requirement.

> -r-sr-xr-x    2 root   wheel     26260 Jul 30 00:49 /usr/bin/passwd
> -r-sr-xr-x    2 root   wheel     26260 Jul 30 00:49 /usr/bin/yppasswd

Change passwords for users.  Occasionally useful. ;)

> -r-sr-x---    1 root   wheel     10232 Jul 30 00:49 /usr/bin/quota

View quotas.  Either set permissions like that, or just remove the suid.

> -r-sr-xr-x    1 root   wheel      9976 Jul 30 00:49 /usr/bin/rlogin
> -r-sr-xr-x    1 root   wheel      7372 Jul 30 00:49 /usr/bin/rsh

Nuke.

> -r-sr-x---    1 root   wheel      7960 Jul 30 00:49 /usr/bin/su

I tend to use the same permissions you've set here.

> -r-sr-xr-x    1 root   wheel     23912 Jul 30 00:49 /usr/bin/crontab

If you want your users to be able to schedule cron jobs, it's needed.  I
don't usually, so I tend to remove it.

> -r-sr-xr-x    2 root   wheel    146972 Jul 30 00:50 /usr/bin/ssh
> -r-sr-xr-x    2 root   wheel    146972 Jul 30 00:50 /usr/bin/slogin

Suid not needed except for certain cases, which you'd know about if you
needed it.

> -r-sr-xr-x    1 root   wheel    316348 Jul 30 00:50 
> /usr/libexec/sendmail/sendmail

I don't use sendmail.  chmod 0 it if you don't either.

> -r-sr-sr-x    1 uucp   dialer   220460 Jul 30 00:46 /usr/libexec/uucp/uucico
> -r-sr-s---    1 uucp   uucp      99340 Jul 30 00:46 /usr/libexec/uucp/uuxqt

Useless if you don't use uucp.  Nuke it.

> -r-sr-xr-x    1 root   wheel     16156 Jul 30 00:48 /usr/libexec/mail.local

Needed for mail delivery in certain esoteric cases.  I don't use
sendmail, so it's not a concern.

> -rws--x--x    1 root   wheel    143836 Jul 21 22:56 /usr/local/bin/ssh1

You already have ssh in base - should be able to nuke this.

> -rwsr-xr-x    1 root   wheel      6016 Jul 24 00:18 /usr/local/bin/chm

Not sure where this comes from.  If you don't either, probably a good
idea to remove the suid.

You're missing 'at'/'atq'/'batch'.  Only necessary if you let users have
at jobs.  System default is to deny at jobs to users anyway, so I tend
to remove suid from them.

Neil
-- 
Neil Blakey-Milner
Sunesi Clinical Systems
nbm@mithrandr.moria.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message