Everyone,
Only received 2 responses, one from Gary George that points to the
File Hierarchy Standard (FHS) which I followed his link to the ftp site and
found it directly on the web at:
http://www.pathname.com/fhs. It was
originally written for Linnux systems, but is applicable for most BSD-ish
Unixes. To quote the fhs document about the /sbin permissions:
"We recommend that users have read and execute permission for
everything in /sbin except, perhaps, certain setuid and setgid programs.
The division between /bin and /sbin was not created for security reasons or
to prevent users from seeing the operating system, but to provide a good
partition between binaries that everyone uses and ones that are primarily
used for administration tasks. There is no inherent security advantage in
making /sbin off-limits for users."
To solve the /usr/sbin/wall problem, Tom Webster suggested that either
you unset the world bit on the wall or educate the users to use the mesg
program to prevent users from sending them message but they would still
receive system wall messages..
Thanks again to Tom Webster and Gary George for their responses...
My original question:
> I just noticed that the permissions on /usr/sbin/wall are set to:
>
> # ls -lad /usr/sbin/wall
> -rwxr-s--x 1 bin terminal 24576 Dec 29 1997 /usr/sbin/wall
>
> This is on a variety of 4.0A to 4.0D machines....
>
> It doesn't seem right that as a default, the wall command can be used by
> any user at all? Should we lock this down in any way? Does anyone else
> change the permissions on either this command or the above /usr/sbin
> directory to tighten up security a little?
>
> It's not just the wall command, it's the entire /usr/sbin directory that
> is
> set to this:
>
> # ls -lad /usr /usr/sbin /usr/sbin/wall
> drwxr-xr-x 35 root system 8192 Sep 3 14:38 /usr
> drwxr-xr-x 3 root system 16384 Aug 26 15:38 /usr/sbin
> /usr/sbin seems to be wide open... Most of the files in there a regular
> user can't run even thought the bits are set for world to run. But when
> you
> run edquota for example it will tell you to that the permission is
> denied:
>
> # /usr/sbin/edquota thomask
> edquota: permission denied
>
> But things like lpc restart are possible from a non-privaleged user...
> That
> means that someone can restart all the queues on the unix machine... they
> can disable or stop the queue - but they most certainly can restart a
> queue. There must be other things in there a general user can run
> too....
>
> So the questions really is why are the permissions on /usr/sbin so wide
> open? And what are people doing to close it down?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karen Thomas
Assistant Director Information Systems
Connecticut State University System Office
Phone: (860) 493-0118
Fax: (860) 493-0026
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Received on Tue Sep 22 1998 - 18:23:06 NZST