Xref: utzoo comp.unix.aux:1432 comp.unix.ultrix:2267 Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!bloom-beacon!bloom-beacon!athena.mit.edu!crowston From: crowston@athena.mit.edu (Kevin Crowston) Newsgroups: comp.unix.aux,comp.unix.ultrix Subject: System management and system file protection Message-ID: <1989Dec2.214424.5719@athena.mit.edu> Date: 2 Dec 89 21:44:24 GMT Sender: root@athena.mit.edu (Wizard A. Root) Reply-To: crowston@athena.mit.edu (Kevin Crowston) Organization: Massachusetts Institute of Technology Lines: 35 I'm the new system manager of a small network of unix boxes (both Mac AU/X and DecStation 3100 Ultrix). I've been using UNIX for a while, so I'm pretty comfortable with the commands and all, but I'm not really sure what all I should be doing with them. The documentation is pretty good about how to do things, less good about what to do (to be fair, I don't have all the Ultrix manuals). The question I have right now is about setting up useful protections on all the various files (like /etc/passwd, /usr/lib/aliases, etc.). I'm not especially worried about malicious attacks, but I do want to minimize the chance of accidents. (I'm afraid one of these days I'll accidentally type rm * somewhere I shouldn't.) For that reason, I want to minimize the amount of stuff that you need to be super-user to do, while still restricting it to a known group of users. What I've thought about doing is creating a group, like operator, and giving that group read/write permissions on files like /etc/passwd, /usr/lib/aliases, the root mail box, so that such a person can do all the various routine maintenance operations without being a super-user. Also, I'm planning to put most mailing lists in :included files and making these publically writeable so people can add themselves to mailing lists and take themselves off. Does this sound like a reasonable approach? What other arrangements do people use and like and recommend? What files have I forgotten about? (Actually, if there are other helpful hints you have for running a small network or pointers to articles that talk about this, that'd be interesting too. Even weekly lists of chores, so I can check if I'm forgetting something...) Finally, I seem to remember reading about a utility that looked through the file system for common security holes. Does anyone have a pointer to such a program or perhaps even to an article about it? Kevin Crowston