Return to BSD News archive
Newsgroups: comp.unix.bsd.freebsd.misc Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.uwa.edu.au!DIALix!melbourne.DIALix.oz.au!seeware!mark From: mark@seeware.DIALix.oz.au (Mark Hannon) Subject: Re: A Matter of Security Organization: Private FreeBSD site Message-ID: <DL40v3.7qo@seeware.DIALix.oz.au> References: <4d0qav$9j0@gol2.gol.com> Date: Sat, 13 Jan 1996 07:59:25 GMT Lines: 53 Doug (doug@gol.com) wrote: : Our system now allows members to make PPP connections via our new : Portmaster (which is working well, along with RADIUS, thanks to the help : of members of this group). : I noticed that unless I created a user account on the FreeBSD machine : for a user, he or she could not receive email. Well, that makes sense. : But I also noticed that any user can now Telnet into our FreeBSD : machine. You should be able to block this by setting the user's shell to /sbin/nologin. : What's more, because of the default settings, any user can roam around : and see almost everything, including most of the contents of /etc. : Questions! : o Is this normal? Does everybody allow this? Is this a problem? Normal users shouldn't be able to write anything here so there is no real problem (and the sensistive files aren't readable by non-root) : o As soon as I noticed this, I changed the permissions of /etc with the : command : chmod og-wrx /etc : so that members could not access that directory. Is that a reasonable : thing to do? Will it hurt any running processes? Don't know - better to leave it is was. : o Is there a way of disabling logins except for certain users? See above : o Can a user wreak havoc with the system by creating huge files in their : home directory, creating and running programs, etc.? If you are worried about this then turn quota's on. See the manpages. /mark -- +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | Mark Hannon,| FreeBSD - Free Unix for your PC| mark@seeware.DIALix.oz.au| | Melbourne, | PGP key available by fingering | epamha@epa.ericsson.se | | Australia | seeware@melbourne.DIALix.oz.au | |