Security on the 3B1 (was Re: Help needed with 7300)

Chris Siebenmann cks at ziebmef.uucp
Mon Jun 20 05:47:36 AEST 1988 

In article <9300074 at bradley> tychan at bradley.UUCP writes:
>Steve Kosloske writes:
>>  I just got my 7300 shipped to me, and am trying to get it set up to run
>>  as a multi user system. I've got a lot of the files that I dopn't want 
>>  people to mess with locked out, but I'm having problems with 'su'
>>  
>>  Is it possible to put a password on 'su' so everyone can't become the super
>>  user, or should I just chmod the program to 4700?

 You should always give root a password (along with various other
unsecured accounts, notably install, uucpadm, and nuucp/uucp).
However, there's a lot more to do than just that. First, go through
the system looking for world-writeable directories; most of them
don't want to be, needless to say. Second, ditch the ua just about
completely; I made a new group 'ua', and made all the ua stuff mode
750, group ua. You'll have to ditch 'cu' to make /usr/spool/uucp mode
775, btw (no great loss; replace it with pcomm, which was designed to
run setgid).

 While you're at it, you'll probably want to fix miscellaneous
stupidities, like the ownership of /usr/lib/uucp/* and
/usr/spool/uucp/*, and the uucp permissions (note that uucpadm and
uucp actually have the same uid; this is easy to change, well worth
it, and only breaks one thing I'm aware of ('uustat -c' wants you to
be either uucp or root, grr)). Depending on what you're using the
floppy drive for, you may also want to restrict access to it, since
the system is perfectly happy to format a mounted floppy.  You'll also
want to stick a 'umask 022' into /etc/rc somewhere (I picked right
after the first setting of TZ). 
 
 As you can see, I'm running my system multi-user, and it does work.
It takes a fair amount of work to set up and beat all the stupidities
out, but it's worth it. You end up with a system you're much more
confident of (I've always been amazed at just how unsecure an
off-the-floppy 3B1 really is ... I mean, /etc as mode 777? gak). 

-- 
	But he said leave me alone I'm a family man
	And my bark is much worse than my bite
Chris Siebenmann		uunet!utgpu!{ontmoh!moore,ncrcan}!ziebmef!cks
cks at ziebmef.UUCP	     or	.....!utgpu!{,ontmoh!,ncrcan!brambo!}cks

More information about the Comp.sys.att mailing list