lenny@quincy.UUCP (10/03/87)
More Security questions?
------------------------
Here are some more things that urks me on the UNIX PC? Somebody went
s-bit crazy! The following find command will locate all the s-bit'd
stuff (owned by root) that executable but you (ie. if you are root every
s-bit'd thing)
$ find / -perm -4001 -user root -exec ls -l {} \; | more
Now on that list you will find some things that you wouldn't want to
ordinary "Tom, Dick, or Harry" person to execute, although they can do it!
/etc/lddrv/lddrv - why allow anyone allocate and/or deallocate
system drivers? Take the read/write
permission off other. (ie. chmod o-rw ...)
/bin/mv - why this I do not know, it should be linked
with /bin/cp, /bin/ln (they compare [cmp] to
be the same although /bin/mv is unlinked and
s-bit'd as root?
(Link it with: ln /bin/cp /bin/mv)
/usr/bin/fsetup - anyone can turn on fonts on your windowed
bitmap terminal (UNIX PC) Only allow the
user-agent (ua) or root to do it. Take off
read/write permission to other.
/usr/bin/lpsetup - anyone can administer all printers on your
/usr/lib/lpadmin system? Only allow root or install to do
/usr/lib/lpshut this. Take off read/write permission to
/usr/lib/lpsched other. In fact it should it probably can
be owned by "lp" thats the whole reason
for the lp-administrator, all /usr/spool/lp
files are owned by lp?
Some things that shouldn't be read/write by all and are by default.
This locates them: (Although there might be many!)
$ find / -perm -2 -exec ls -l {} \; | more
There might be exceptions to the "rule" in your case, you might want
to leave write permission on these?
/ - root directory.
/dev/fp020 - floppy drive.
/dev/fp021
/dev/rfp020 - floppy drive. (raw device)
/dev/rfp021
/mnt - mount directory
/mnta - mount directory
/mntb - mount directory
/etc/inittab - inittab file! Bad news!
/etc/.modem - miscellaneous modem parameter files.
/etc/.rs232 - miscellaneous rs-232 parameter files.
/etc/.fontload
/etc/lddrv/* - anything in here!
/etc/namesys - have anyone changing the name of your system
when you least expect it next time you reboot
/etc/drvtab - drivers you have loaded
/etc/.installdate - used for backup purposes.
/etc/timedsply - your time display format (ie. American)
/etc/wtmp - the /etc/wtmp file for who! You can't delete
it but you can do a "cp /dev/null /etc/wtmp"
and clear it out leaving no trace! Remove
write permission from other.
/etc/localprofile - your local system profile.
/usr/adm/* - any log file, like sulog!
/usr/installed/* - your install/uninstall scripts for software
/usr/lib/ua - directory is 777? why?
/usr/lib/ua/1200bps:Am - your system default Terminal Emulator profiles
/usr/lib/ua/300bps:Am
/usr/lib/ua/9600bps:A2
/usr/lib/ua/Login.form - these user-agent forms.
/usr/lib/ua/Mailph.form
/usr/lib/ua/SMailph.form
/usr/lib/ua/RS232a.form
/usr/lib/ua/RS232b.form
/usr/lib/ua/RS232d.form
/usr/lib/ua/RS232e.form
/usr/lib/ua/SLsys.form
/usr/lib/ua/User.form
/usr/lib/ua/Others - any miscellaneous file?
/usr/lib/ua/Backup.menu
/usr/lib/ua/sm_ovf
/usr/lib/ua/.blanktime
/usr/lib/ua/phnum
/usr/lib/ua/Phonesinit.for
/usr/lib/ua/DEVSuffixes - etc...
I'm sure there are more? If anyone has any suggestion let me know! I
think from the last "security" article there have been many back doors
closed!
Good luck,
Lenny Tropiano
ICUS Adminstrator
--- Address to my UNIX PC ---
Lenny Tropiano | UUCP: {mtune,uunet!swlabs!godfre}!quincy!\
ICUS Computer Group | ...{ihnp4,chinet,safari,boulder,skeeve}! \icus!lenny
PO Box 1 | ...{cmcl2!phri,hoptoad}!dasys1! /
Islip Terrace, NY 11752|...{seismo,rutgers,cmcl2}!harvard!talcott!/
--- Work Address ---
--
Lenny Tropiano ...seismo!uunet!swlabs!godfre!quincy!lenny -or-
American LP Systems, Inc. ...cmcl2!phri!gor!helm!quincy!lenny -or-
1777-18 Veterans Memorial Hwy. ...mtune!quincy!lenny -or
Islandia, New York 11722 +1 516-582-5525 ...ihnp4!icus!quincy!lenny