|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Landon Stewart (landons
uniserve.com)Date: Tue Oct 02 2001 - 10:24:38 CDT
At 11:13 PM 10/1/2001 -0500, default wrote:
>Hi,
>
>I am allowing a couple of ppl to have a shell account on one of my machines,
>and I am making a few changes to disallow them from using certain things...
Firstly, don't just chmod them, chown them with an alternate group like
(staff) and then chmod them to 750 or something. Some utilities require
the suid bit so make sure you check if the binary is suid before you chmod
it and then include the suid bit if necissary (WARNING: failure to do this
could lock you out of your own system).
>like chmoding the 'ps' command to 550 etc...
Rather than getting rid of the 'ps' command, let them see their own
processes only by putting 'kern.ps_showallprocs=0' in your /etc/sysctl.conf
file
If you don't want to reboot for it to take effect just run "sysctl
kern.ps_showallprocs=0"
>I wanted to ask, is there any reason why one wouldn't want to chmod to 640
>the passwd file and other similar files? ...
Many utilities that does not run as root or wheel require passwd file
information (but not master.passwd file, which is where the important stuff
is). For instance, apache requires it to figure out where home directories
are when someone uses the http://www.domain.com/~username
--- Landon StewartTo Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]