Path: utzoo!attcan!uunet!convex!linac!mp.cs.niu.edu!bennett From: bennett@mp.cs.niu.edu (Scott Bennett) Newsgroups: comp.sys.next Subject: Re: Security of NeXT systems Message-ID: <1991Mar1.014356.16867@mp.cs.niu.edu> Date: 1 Mar 91 01:43:56 GMT References: <1991Feb28.143720.7839@engage.enet.dec.com> <1376@toaster.SFSU.EDU> Organization: Northern Illinois University Lines: 75 In article <1376@toaster.SFSU.EDU> eps@cs.SFSU.EDU (Eric P. Scott) writes: >In article <1991Feb28.143720.7839@engage.enet.dec.com> > tenny@ootool.dec.com (Dave Tenny) writes: >> So my general rule of thumb is to leave the NeXT >>directories and all system files with the protections they have >>when they ship > >I wouldn't do that. The first thing I'd do is run /etc/catman >followed by (cd /usr/man;exec chmod -R o-w cat*) >This preformats all the man pages and protects them from being >wiped out by aStupidJerk@completely.bogus.address typing `o' at a >--More-- prompt and saving the changes. (It also makes the "man" >command *much* faster.) The security issue here has already been addressed in other threads. It's not a problem. Running catman to pre-nroff all the man pages sounds nice, but takes a long time and *wastes* a lot of disk space. It is definitely a waste because on most systems the vast majority of man pages are *never* examined by any user. Those pages that *are* examined get nroff'ed once when first needed and are available for quick access from then on. > >Then something along the lines of > >#!/bin/csh -f >set verbose >chmod o-w / /me /private/spool/uucp/STATS >chmod -R go-w \ > /NextApps/Librarian.app/LibrarianHelp/.index \ > /NextDeveloper/Demos \ > /NextDeveloper/Examples/MusicKit/exampunitgenerator \ > /NextLibrary/Documentation/*/.index \ > /NextLibrary/Documentation/NextDev/ReleaseNotes/.index \ > /NextLibrary/Documentation/Unix/ManPages/.index \ > /NextLibrary/Literature/Shakespeare/.index \ > /NextLibrary/References >chmod -R o-w /NextLibrary/Packages >chown 0.0 /NextApps/Librarian.app/LibrarianHelp/.dir.tiff \ > /usr/filesystems/*/*.{name,tiff} \ > /usr/lib/dsp/ugsrc >chmod a+r /usr/filesystems/CDROM.fs/*.{name,tiff} >chgrp kmem /usr/lib/emacs/etc/loadst >chmod g+s /usr/lib/emacs/etc/loadst >chmod go= /usr/template/user/Mailboxes >chmod a+rx /usr/lib/indexing/files/images >(cd /etc/uucp;exec chmod a+r L-devices L-dialcodes L.aliases L.cmds USERFILE) > >...and the stuff discussed in Chapter 16 of N&SA: > >chmod ug-s /NextApps/{Preferences,PrintManager} Good grid!! Did NeXT *really* get *all* those permissions wrong??? >niutil -destroyprop . /printers _writers >niutil -destroyprop . /fax_modems _writers >niutil -createprop . /printers RemoteAsNobody >#niutil -createprop . / trusted_networks ###.### > >This is all sort of rough, I'm just starting to figure it out. > > -=EPS=- >-- >Trivia question: what is group 11? Scott Bennett, Comm. ASMELG, CFIAG Systems Programming Northern Illinois University DeKalb, Illinois 60115 ********************************************************************** * Internet: bennett@cs.niu.edu * * BITNET: A01SJB1@NIU * *--------------------------------------------------------------------* * "WAR is the HEALTH of the STATE" --Albert Jay Nock (I think:-) * **********************************************************************