Date: Fri, 15 Sep 2000 10:41:32 +0200 From: Neil Blakey-Milner <nbm@mithrandr.moria.org> To: Mike <mike@mikesweb.com> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: one more for ya.. Message-ID: <20000915104132.B37827@mithrandr.moria.org> In-Reply-To: <4.3.2.7.2.20000914211042.0f6f5718@mail.mikesweb.com>; from mike@mikesweb.com on Thu, Sep 14, 2000 at 09:12:39PM -0400 References: <4.3.2.7.2.20000914211042.0f6f5718@mail.mikesweb.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu 2000-09-14 (21:12), Mike wrote: > one more "stupid" question for ya.. hehe.. which of these NEED to be suid > to run right? > And do I NEED the uucp stuff? Probably not. > -r-sr-xr-x 1 uucp wheel 87984 Jul 30 00:46 /usr/bin/uucp > -r-sr-xr-x 1 uucp wheel 37100 Jul 30 00:46 /usr/bin/uuname > -r-sr-sr-x 1 uucp dialer 96540 Jul 30 00:46 /usr/bin/uustat > -r-sr-xr-x 1 uucp wheel 88600 Jul 30 00:46 /usr/bin/uux No particular reason to worry about the above, just chmod 0 them for paranoia. > -r-sr-xr-x 1 man wheel 28304 Jul 30 00:47 /usr/bin/man Could use sgid man and gid-man owned-and-writeable catx directories. > -r-sr-xr-x 6 root wheel 31972 Jul 30 00:49 /usr/bin/chpass > -r-sr-xr-x 6 root wheel 31972 Jul 30 00:49 /usr/bin/chfn > -r-sr-xr-x 6 root wheel 31972 Jul 30 00:49 /usr/bin/chsh > -r-sr-xr-x 6 root wheel 31972 Jul 30 00:49 /usr/bin/ypchpass > -r-sr-xr-x 6 root wheel 31972 Jul 30 00:49 /usr/bin/ypchfn > -r-sr-xr-x 6 root wheel 31972 Jul 30 00:49 /usr/bin/ypchsh These are required if you want users to be able to change their account information (shell, &c.). > -r-sr-x--- 1 root wheel 510 Jul 30 00:49 /usr/bin/keyinfo > -r-sr-x--- 1 root wheel 7232 Jul 30 00:49 /usr/bin/keyinit This is for opie. > -r-sr-x--- 1 root wheel 6792 Jul 30 00:49 /usr/bin/lock Only needed for reading the root and/or user password to unlock a terminal - user if using lock -p. (What sane person types in the root password to unlock a terminal when another user ran the command?) > -r-sr-xr-x 1 root wheel 19556 Jul 30 00:49 /usr/bin/login Not incredibly sure about this requirement. > -r-sr-xr-x 2 root wheel 26260 Jul 30 00:49 /usr/bin/passwd > -r-sr-xr-x 2 root wheel 26260 Jul 30 00:49 /usr/bin/yppasswd Change passwords for users. Occasionally useful. ;) > -r-sr-x--- 1 root wheel 10232 Jul 30 00:49 /usr/bin/quota View quotas. Either set permissions like that, or just remove the suid. > -r-sr-xr-x 1 root wheel 9976 Jul 30 00:49 /usr/bin/rlogin > -r-sr-xr-x 1 root wheel 7372 Jul 30 00:49 /usr/bin/rsh Nuke. > -r-sr-x--- 1 root wheel 7960 Jul 30 00:49 /usr/bin/su I tend to use the same permissions you've set here. > -r-sr-xr-x 1 root wheel 23912 Jul 30 00:49 /usr/bin/crontab If you want your users to be able to schedule cron jobs, it's needed. I don't usually, so I tend to remove it. > -r-sr-xr-x 2 root wheel 146972 Jul 30 00:50 /usr/bin/ssh > -r-sr-xr-x 2 root wheel 146972 Jul 30 00:50 /usr/bin/slogin Suid not needed except for certain cases, which you'd know about if you needed it. > -r-sr-xr-x 1 root wheel 316348 Jul 30 00:50 > /usr/libexec/sendmail/sendmail I don't use sendmail. chmod 0 it if you don't either. > -r-sr-sr-x 1 uucp dialer 220460 Jul 30 00:46 /usr/libexec/uucp/uucico > -r-sr-s--- 1 uucp uucp 99340 Jul 30 00:46 /usr/libexec/uucp/uuxqt Useless if you don't use uucp. Nuke it. > -r-sr-xr-x 1 root wheel 16156 Jul 30 00:48 /usr/libexec/mail.local Needed for mail delivery in certain esoteric cases. I don't use sendmail, so it's not a concern. > -rws--x--x 1 root wheel 143836 Jul 21 22:56 /usr/local/bin/ssh1 You already have ssh in base - should be able to nuke this. > -rwsr-xr-x 1 root wheel 6016 Jul 24 00:18 /usr/local/bin/chm Not sure where this comes from. If you don't either, probably a good idea to remove the suid. You're missing 'at'/'atq'/'batch'. Only necessary if you let users have at jobs. System default is to deny at jobs to users anyway, so I tend to remove suid from them. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000915104132.B37827>