From owner-freebsd-questions Sat Jan 6 05:32:44 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id FAA21347 for questions-outgoing; Sat, 6 Jan 1996 05:32:44 -0800 (PST) Received: from strider.ibenet.it (root@Strider.Free.IT [194.179.131.1]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id FAA21340 Sat, 6 Jan 1996 05:32:38 -0800 (PST) Received: (from piero@localhost) by strider.ibenet.it (8.7.3/8.6.12) id OAA21275; Sat, 6 Jan 1996 14:30:07 +0100 (MET) From: Piero Serini Message-Id: <199601061330.OAA21275@strider.ibenet.it> Subject: Re: Answer to /bin/ls and ftp (should be documented) To: jgreco@brasil.moneng.mei.com (Joe Greco) Date: Sat, 6 Jan 1996 14:30:05 +0100 (MET) Cc: mbarkah@hemi.com, hackers@FreeBSD.ORG, questions@FreeBSD.ORG In-Reply-To: <199601011606.KAA10803@brasil.moneng.mei.com> from "Joe Greco" at Jan 1, 96 10:06:58 am Reply-To: piero@strider.ibenet.it Operating-System: FreeBSD 1.1.5.1 X-Phone-Number: +39 (2) 58113562 X-NCC-RegID: it.ibenet X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-questions@FreeBSD.ORG Precedence: bulk Hello. Quoting from Joe Greco (Mon Jan 1 17:06:58 1996): > 3. Copy the new pwd.db and group files into ~ftp/etc, and make them both > mode 0440. Change owner to "root.daemon". > 4. Copy /bin/ls into ~ftp/bin. Change owner to "root.daemon", and change > the mode to 2111... > > Now nobody can access your pwd.db or group files, but ls can, because it is > a member of the appropriate group... > > I know this may seem overly paranoid to people, but you never know what > tricks someone might use to gain access to your system, and the lower your > profile, the safer you may be... I simply edit the master.passwd I use to generate spwd.db and pwd.db, I lock out all the accounts I leave in, compile the db and no 's' bit is needed. My master.passwd looks like: root:*:0:0::0:0:System Administrator:/:/nonexistant daemon:*:1:1::0:0:System deamons:/:/nonexistant bin:*:3:7::0:0:Binaries pseudo-user:/:/nonexistant games:*:7:13::0:0:Games pseudo-user:/:/nonexistant news:*:8:8::0:0:News' login:/:/nonexistant guest:*:32766:31::0:0:Guest login:/:/nonexistant nobody:*:32767:32767::0:0:Unprivileged user:/:/nonexistant ftp:*:300:300::0:0:Anonymous FTP login:/usr/ftp:/usr/libexec/ftpd -l ftp-adm:*:301:301::0:0:FTP Admin:/usr/ftp:/nonexistant www:*:302:302::0:0:World Wibe Web:/:/nonexistant www-adm:*:303:302::0:0:World Wibe Web:/:/nonexistant So there's no user listed, no password, nothing. Bye, -- # $Id: .signature,v 1.12 1995/08/14 12:10:54 piero Exp $ Piero Serini Via Giambologna, 1 I 20136 Milano - ITALY