From owner-freebsd-stable@FreeBSD.ORG Mon Dec 3 21:28:08 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10B5216A417 for ; Mon, 3 Dec 2007 21:28:08 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id EEA9913C46E for ; Mon, 3 Dec 2007 21:28:07 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 29F7B46D37; Mon, 3 Dec 2007 16:32:50 -0500 (EST) Date: Mon, 3 Dec 2007 21:27:59 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Anjang Aki In-Reply-To: Message-ID: <20071203212408.S30376@fledge.watson.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 6.3-PRERELEASE unable to change file permission X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Dec 2007 21:28:08 -0000 On Mon, 3 Dec 2007, Anjang Aki wrote: > hi!.. i'm not able to change file permission to disable rlogin and login on > my box even as root > > # ls -lo /usr/bin/login /usr/bin/rlogin > -r-sr-xr-x 1 root wheel schg 19996 Dec 1 13:04 /usr/bin/login > -r-sr-xr-x 1 root wheel schg 10140 Dec 1 13:04 /usr/bin/rlogin > > # chflags -R nouchg login rlogin > chflags: /usr/bin/login: Operation not permitted > chflags: /usr/bin/rlogin: Operation not permitted > > # chmod a=rx /usr/bin/login /usr/bin/rlogin > chmod: /usr/bin/login: Operation not permitted > chmod: /usr/bin/rlogin: Operation not permitted > > it makes me uneasy as my users can still use login and rlogin to gain access > to the box Others have already addressed the chflags issue, but there's a larger concern here. First off, 'rlogin' is the client, not the server for the rlogin protocol, so chmodding the file limits the ability to rlogin *from* your system, not rlogin *to* your system. The ability to login via rlogin is controlled via inetd.conf, which enables or disables the rlogind daemon. By default we neither run inetd nor rlogind, and even if you enable inetd, you still need to also enable rlogind explicitly. Probably for the reasons you have in mind. Second, I'm not sure what you're trying to do by disabling 'login', but keep in mind that 'login' is used on the console to allow login to the system on the console, so you may lock yourself out of the console if you disable it. On the other hand, 'login' is *not* used for sshd, so if your goal is to deny network access, it won't have that effect. In general, what you want to do to prevent login over the network is not enable network services that allow remote login -- sshd, telnetd, rlogind, ftpd, etc. By default, we disable all those services. You can look in a combination of /etc/rc.conf and /etc/inetd.conf to see what is enabled. Robert N M Watson Computer Laboratory University of Cambridge > > my system: > # uname -a > FreeBSD k3.college.edu 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1: Sun > Dec 2 18:51:02 MYT 2007 root@college.edu:/usr/obj/usr/src/sys/EDU > i386 > > thanks for advice > > -- > -- Anjang Aki -- > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >