Path: utzoo!lsuc!ncrcan!ziebmef!cks From: cks@ziebmef.uucp (Chris Siebenmann) Newsgroups: comp.sys.att Subject: Security on the 3B1 (was Re: Help needed with 7300) Message-ID: <1988Jun19.154739.2498@ziebmef.uucp> Date: 19 Jun 88 19:47:36 GMT References: <5997@uwmcsd1.UUCP> <9300074@bradley> Reply-To: cks@ziebmef.UUCP (Chris Siebenmann) Organization: Ziebmef Public Access BBS/Unix Lines: 41 In article <9300074@bradley> tychan@bradley.UUCP writes: >Steve Kosloske writes: >> I just got my 7300 shipped to me, and am trying to get it set up to run >> as a multi user system. I've got a lot of the files that I dopn't want >> people to mess with locked out, but I'm having problems with 'su' >> >> Is it possible to put a password on 'su' so everyone can't become the super >> user, or should I just chmod the program to 4700? You should always give root a password (along with various other unsecured accounts, notably install, uucpadm, and nuucp/uucp). However, there's a lot more to do than just that. First, go through the system looking for world-writeable directories; most of them don't want to be, needless to say. Second, ditch the ua just about completely; I made a new group 'ua', and made all the ua stuff mode 750, group ua. You'll have to ditch 'cu' to make /usr/spool/uucp mode 775, btw (no great loss; replace it with pcomm, which was designed to run setgid). While you're at it, you'll probably want to fix miscellaneous stupidities, like the ownership of /usr/lib/uucp/* and /usr/spool/uucp/*, and the uucp permissions (note that uucpadm and uucp actually have the same uid; this is easy to change, well worth it, and only breaks one thing I'm aware of ('uustat -c' wants you to be either uucp or root, grr)). Depending on what you're using the floppy drive for, you may also want to restrict access to it, since the system is perfectly happy to format a mounted floppy. You'll also want to stick a 'umask 022' into /etc/rc somewhere (I picked right after the first setting of TZ). As you can see, I'm running my system multi-user, and it does work. It takes a fair amount of work to set up and beat all the stupidities out, but it's worth it. You end up with a system you're much more confident of (I've always been amazed at just how unsecure an off-the-floppy 3B1 really is ... I mean, /etc as mode 777? gak). -- But he said leave me alone I'm a family man And my bark is much worse than my bite Chris Siebenmann uunet!utgpu!{ontmoh!moore,ncrcan}!ziebmef!cks cks@ziebmef.UUCP or .....!utgpu!{,ontmoh!,ncrcan!brambo!}cks