cks@ziebmef.uucp (Chris Siebenmann) (06/20/88)
In article <9300074@bradley> tychan@bradley.UUCP writes: >Steve Kosloske writes: >> I just got my 7300 shipped to me, and am trying to get it set up to run >> as a multi user system. I've got a lot of the files that I dopn't want >> people to mess with locked out, but I'm having problems with 'su' >> >> Is it possible to put a password on 'su' so everyone can't become the super >> user, or should I just chmod the program to 4700? You should always give root a password (along with various other unsecured accounts, notably install, uucpadm, and nuucp/uucp). However, there's a lot more to do than just that. First, go through the system looking for world-writeable directories; most of them don't want to be, needless to say. Second, ditch the ua just about completely; I made a new group 'ua', and made all the ua stuff mode 750, group ua. You'll have to ditch 'cu' to make /usr/spool/uucp mode 775, btw (no great loss; replace it with pcomm, which was designed to run setgid). While you're at it, you'll probably want to fix miscellaneous stupidities, like the ownership of /usr/lib/uucp/* and /usr/spool/uucp/*, and the uucp permissions (note that uucpadm and uucp actually have the same uid; this is easy to change, well worth it, and only breaks one thing I'm aware of ('uustat -c' wants you to be either uucp or root, grr)). Depending on what you're using the floppy drive for, you may also want to restrict access to it, since the system is perfectly happy to format a mounted floppy. You'll also want to stick a 'umask 022' into /etc/rc somewhere (I picked right after the first setting of TZ). As you can see, I'm running my system multi-user, and it does work. It takes a fair amount of work to set up and beat all the stupidities out, but it's worth it. You end up with a system you're much more confident of (I've always been amazed at just how unsecure an off-the-floppy 3B1 really is ... I mean, /etc as mode 777? gak). -- But he said leave me alone I'm a family man And my bark is much worse than my bite Chris Siebenmann uunet!utgpu!{ontmoh!moore,ncrcan}!ziebmef!cks cks@ziebmef.UUCP or .....!utgpu!{,ontmoh!,ncrcan!brambo!}cks
kak@hico2.UUCP (Kris A. Kugel) (03/05/90)
For the most part, I believe most of the 3b1/7300 owners
out there have fixed the most blatent security holes on
their systems (logins without passwords, and *VERY* serious
permissions holes)
I recently restored my 3B1 from scratch, and typed (by hand)
a security audit shell program from the book, "UNIX SYSTEMS SECURITY".
Given the time and effort it took to type and debug the damn
thing in, it seems to me that I could save some other poor souls
the effort by making some kinda information available.
Now, I can:
1. post the results of the security audit to the world
(possibly creating awareness of the holes to those
we would rather stay ignorant, and before the holes can be fixed)
2. post the security auditing program (probably violating copyright)
3. mail the results to anybody who requests them
(assumes some kinda tracking of who gets it is better than nothing,
not all that much safer, and a pain in the butt for me)
Seems to me we already had something like this discussion, but I forgot
the concensus opinion (if there was one).
I'm kinda leaning towards #1 myself. Any opinions?
Kris A. Kugel
(201) 842-2707
{uunet,att,rutgers}!westmark <--daily
{ssbn,zorch,zinn,ditka,daver,attdso} <--semi-daily
{wldrdg}!hico2!kak <--maybe
{stc-auts} <--seems dead for 9600levin@magnus.Hotline.Com (Michael M Levin) (03/06/90)
In article <200@hico2.UUCP> kak@hico2.UUCP (Kris A. Kugel) writes: >For the most part, I believe most of the 3b1/7300 owners >out there have fixed the most blatent security holes on >>....... >Given the time and effort it took to type and debug the damn >thing in, it seems to me that I could save some other poor souls >the effort by making some kinda information available. I think that since you went to all the trouble, it would be a shame for it to go to waste. >Now, I can: > >****2. post the security auditing program (probably violating copyright)**** > I like #2 myself. I think that you should check it out, and find out if there is indeed any problem. Another thought is, just send it (via email) to those sites who request it. Is there a specific copyright prohibiting electronic images? If so, you may have already violated it. If not, then there wouldn't be a problem (provided, of course, you give credit where it's due). If you find that there isn't ANY way to implement option 2, without endangering yourself, then I suppose that your first or third choices will have to do. I VOTE FOR # 2 !!!! Mike Levin -- _ _ | | ___ ___ |_| ___ Michael Levin SilentRadio Headquarters- Los Angeles | |/ ._\| | || || \ 20732 Lassen Street, Chatsworth CA 91311 U.S.A. |_|\___/ \_/ |_||_|_| E-Mail: levin@Hotline.Com {att|csun|srhqla}!magnus!mml
kak@hico2.UUCP (Kris A. Kugel) (03/09/90)
In article <200@hico2.UUCP>, kak@hico2.UUCP (Kris A. Kugel) writes: > Now, I can: > 1. post the results of the security audit to the world > (possibly creating awareness of the holes to those > we would rather stay ignorant, and before the holes can be fixed) So far, I've only gotten one objection to this suggestion. If anybody is nervous about this, I'd like to point out that this program isn't reporting the subtle holes, rather it finds more blatant holes on the one hand, and gives suggestions for possible holes on the other. (like reporting all suid and sgid files) > 2. post the security auditing program (probably violating copyright) If somebody comes up with a contact point for the authors, I'll post it if they say ok. This was a popular suggestion, but I've decided I'll give the authors the same consideration that I'd want. I won't have time to track them down immediately. > 3. mail the results to anybody who requests them > (assumes some kinda tracking of who gets it is better than nothing, > not all that much safer, and a pain in the butt for me) I won't have time for this. > Sorry for the delays in responding, I will send approprite mail, etc. when I get back from out-of-town after this weekend. Kris A. Kugel (201) 842-2707 {uunet,att,rutgers}!westmark <--daily {ssbn,zorch,zinn,ditka,daver,attdso} <--semi-daily {wldrdg}!hico2!kak <--maybe {stc-auts} <--seems dead for 9600 P.S. to s5000!gh - the last mail I sent to your machine (on a different subject) got bounced. -Kris