System management and system file protection

Kevin Crowston crowston at athena.mit.edu
Sun Dec 3 08:44:24 AEST 1989


I'm the new system manager of a small network of unix boxes (both Mac AU/X
and DecStation 3100 Ultrix).  I've been using UNIX for a while, so I'm
pretty comfortable with the commands and all, but I'm not really
sure what all I should be doing with them.  The documentation is pretty
good about how to do things, less good about what to do (to be fair,
I don't have all the Ultrix manuals).

The question I have right now is about setting up useful protections
on all the various files (like /etc/passwd, /usr/lib/aliases, etc.).
I'm not especially worried about malicious attacks, but I do want to
minimize the chance of accidents.  (I'm afraid one of these days I'll 
accidentally type rm * somewhere I shouldn't.)  For that reason, I
want to minimize the amount of stuff that you need to be super-user
to do, while still restricting it to a known group of users.  

What I've thought about doing is creating a group, like operator, and
giving that group read/write permissions on files like /etc/passwd,
/usr/lib/aliases, the root mail box, so that such a person can do all
the various routine maintenance operations without being a super-user.
Also, I'm planning to put most mailing lists in :included files and
making these publically writeable so people can add themselves to 
mailing lists and take themselves off.

Does this sound like a reasonable approach?  What other arrangements
do people use and like and recommend?  What files have I forgotten
about?  (Actually, if there are other helpful hints you have for
running a small network or pointers to articles that talk about this, 
that'd be interesting too.  Even weekly lists of chores, so I can check 
if I'm forgetting something...)

Finally, I seem to remember reading about a utility that looked through
the file system for common security holes.  Does anyone have a pointer
to such a program or perhaps even to an article about it?

Kevin Crowston



More information about the Comp.unix.aux mailing list