Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!decwrl!ucbvax!agate!ziploc!eps From: eps@toaster.SFSU.EDU (Eric P. Scott) Newsgroups: comp.sys.next Subject: Re: Security of NeXT systems Message-ID: <1376@toaster.SFSU.EDU> Date: 1 Mar 91 00:54:38 GMT References: <1991Feb28.143720.7839@engage.enet.dec.com> Reply-To: eps@cs.SFSU.EDU (Eric P. Scott) Organization: San Francisco State University Lines: 51 In article <1991Feb28.143720.7839@engage.enet.dec.com> tenny@ootool.dec.com (Dave Tenny) writes: > So my general rule of thumb is to leave the NeXT >directories and all system files with the protections they have >when they ship I wouldn't do that. The first thing I'd do is run /etc/catman followed by (cd /usr/man;exec chmod -R o-w cat*) This preformats all the man pages and protects them from being wiped out by aStupidJerk@completely.bogus.address typing `o' at a --More-- prompt and saving the changes. (It also makes the "man" command *much* faster.) Then something along the lines of #!/bin/csh -f set verbose chmod o-w / /me /private/spool/uucp/STATS chmod -R go-w \ /NextApps/Librarian.app/LibrarianHelp/.index \ /NextDeveloper/Demos \ /NextDeveloper/Examples/MusicKit/exampunitgenerator \ /NextLibrary/Documentation/*/.index \ /NextLibrary/Documentation/NextDev/ReleaseNotes/.index \ /NextLibrary/Documentation/Unix/ManPages/.index \ /NextLibrary/Literature/Shakespeare/.index \ /NextLibrary/References chmod -R o-w /NextLibrary/Packages chown 0.0 /NextApps/Librarian.app/LibrarianHelp/.dir.tiff \ /usr/filesystems/*/*.{name,tiff} \ /usr/lib/dsp/ugsrc chmod a+r /usr/filesystems/CDROM.fs/*.{name,tiff} chgrp kmem /usr/lib/emacs/etc/loadst chmod g+s /usr/lib/emacs/etc/loadst chmod go= /usr/template/user/Mailboxes chmod a+rx /usr/lib/indexing/files/images (cd /etc/uucp;exec chmod a+r L-devices L-dialcodes L.aliases L.cmds USERFILE) ...and the stuff discussed in Chapter 16 of N&SA: chmod ug-s /NextApps/{Preferences,PrintManager} niutil -destroyprop . /printers _writers niutil -destroyprop . /fax_modems _writers niutil -createprop . /printers RemoteAsNobody #niutil -createprop . / trusted_networks ###.### This is all sort of rough, I'm just starting to figure it out. -=EPS=- -- Trivia question: what is group 11?