Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!spool.mu.edu!howland.reston.ans.net!newsfeed.internetmci.com!news.sprintlink.net!ns1.tstt.net.tt!news From: feisal@tstt.net.tt (Feisal Mohammed) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: A Matter of Security Date: Wed, 10 Jan 1996 22:46:02 GMT Organization: University of the West Indies Lines: 50 Message-ID: <4d1fi5$mc4@ns1.tstt.net.tt> References: <4d0qav$9j0@gol2.gol.com> Reply-To: feisal@tstt.net.tt NNTP-Posting-Host: cuscon16s.tstt.net.tt X-Newsreader: Forte Free Agent 1.0.82 Doug <doug@gol.com> wrote: >Our system now allows members to make PPP connections via our new >Portmaster (which is working well, along with RADIUS, thanks to the help >of members of this group). >But I also noticed that any user can now Telnet into our FreeBSD >machine. You can stop this by giving the user a shell that exits immediately, for example I created a one line script that prints "access denied" then exits. >What's more, because of the default settings, any user can roam around >and see almost everything, including most of the contents of /etc. >Questions! > Is this normal? Does everybody allow this? Some do and some don't. The ISP whose system I setup wanted no telnets from PPP/slip users hence the exiting shell. For termial users I wipped up a menu that only allowed access to pine, lynx, gopher and passwd and did not give access to the command line. > As soon as I noticed this, I changed the permissions of /etc with the >command >chmod og-wrx /etc >so that members could not access that directory. Is that a reasonable >thing to do? Will it hurt any running processes? Some programs need to read files in the /etc directory, why not protect just sensitive data. > Is there a way of disabling logins except for certain users? The shell setup as above. > Can a user wreak havoc with the system by creating huge files in their >home directory, creating and running programs, etc.? For the setup here PPP/Slip users had no home directories and terminal users has quotas set. I also set quotas on the mail spool since users can easily get 1MB/day by subscribing to many lists. BTW this was on a RS6000 box with AIX 3.2.5, I don't know how to set quotas with FreeBSD should be the same though. Department of Mechanical Engineering University of the West Indies