lenny@quincy.UUCP (10/03/87)
More Security questions? ------------------------ Here are some more things that urks me on the UNIX PC? Somebody went s-bit crazy! The following find command will locate all the s-bit'd stuff (owned by root) that executable but you (ie. if you are root every s-bit'd thing) $ find / -perm -4001 -user root -exec ls -l {} \; | more Now on that list you will find some things that you wouldn't want to ordinary "Tom, Dick, or Harry" person to execute, although they can do it! /etc/lddrv/lddrv - why allow anyone allocate and/or deallocate system drivers? Take the read/write permission off other. (ie. chmod o-rw ...) /bin/mv - why this I do not know, it should be linked with /bin/cp, /bin/ln (they compare [cmp] to be the same although /bin/mv is unlinked and s-bit'd as root? (Link it with: ln /bin/cp /bin/mv) /usr/bin/fsetup - anyone can turn on fonts on your windowed bitmap terminal (UNIX PC) Only allow the user-agent (ua) or root to do it. Take off read/write permission to other. /usr/bin/lpsetup - anyone can administer all printers on your /usr/lib/lpadmin system? Only allow root or install to do /usr/lib/lpshut this. Take off read/write permission to /usr/lib/lpsched other. In fact it should it probably can be owned by "lp" thats the whole reason for the lp-administrator, all /usr/spool/lp files are owned by lp? Some things that shouldn't be read/write by all and are by default. This locates them: (Although there might be many!) $ find / -perm -2 -exec ls -l {} \; | more There might be exceptions to the "rule" in your case, you might want to leave write permission on these? / - root directory. /dev/fp020 - floppy drive. /dev/fp021 /dev/rfp020 - floppy drive. (raw device) /dev/rfp021 /mnt - mount directory /mnta - mount directory /mntb - mount directory /etc/inittab - inittab file! Bad news! /etc/.modem - miscellaneous modem parameter files. /etc/.rs232 - miscellaneous rs-232 parameter files. /etc/.fontload /etc/lddrv/* - anything in here! /etc/namesys - have anyone changing the name of your system when you least expect it next time you reboot /etc/drvtab - drivers you have loaded /etc/.installdate - used for backup purposes. /etc/timedsply - your time display format (ie. American) /etc/wtmp - the /etc/wtmp file for who! You can't delete it but you can do a "cp /dev/null /etc/wtmp" and clear it out leaving no trace! Remove write permission from other. /etc/localprofile - your local system profile. /usr/adm/* - any log file, like sulog! /usr/installed/* - your install/uninstall scripts for software /usr/lib/ua - directory is 777? why? /usr/lib/ua/1200bps:Am - your system default Terminal Emulator profiles /usr/lib/ua/300bps:Am /usr/lib/ua/9600bps:A2 /usr/lib/ua/Login.form - these user-agent forms. /usr/lib/ua/Mailph.form /usr/lib/ua/SMailph.form /usr/lib/ua/RS232a.form /usr/lib/ua/RS232b.form /usr/lib/ua/RS232d.form /usr/lib/ua/RS232e.form /usr/lib/ua/SLsys.form /usr/lib/ua/User.form /usr/lib/ua/Others - any miscellaneous file? /usr/lib/ua/Backup.menu /usr/lib/ua/sm_ovf /usr/lib/ua/.blanktime /usr/lib/ua/phnum /usr/lib/ua/Phonesinit.for /usr/lib/ua/DEVSuffixes - etc... I'm sure there are more? If anyone has any suggestion let me know! I think from the last "security" article there have been many back doors closed! Good luck, Lenny Tropiano ICUS Adminstrator --- Address to my UNIX PC --- Lenny Tropiano | UUCP: {mtune,uunet!swlabs!godfre}!quincy!\ ICUS Computer Group | ...{ihnp4,chinet,safari,boulder,skeeve}! \icus!lenny PO Box 1 | ...{cmcl2!phri,hoptoad}!dasys1! / Islip Terrace, NY 11752|...{seismo,rutgers,cmcl2}!harvard!talcott!/ --- Work Address --- -- Lenny Tropiano ...seismo!uunet!swlabs!godfre!quincy!lenny -or- American LP Systems, Inc. ...cmcl2!phri!gor!helm!quincy!lenny -or- 1777-18 Veterans Memorial Hwy. ...mtune!quincy!lenny -or Islandia, New York 11722 +1 516-582-5525 ...ihnp4!icus!quincy!lenny