Re: Newbie administrator - chmod

Thu, 27 Feb 2003 10:48:44 -0800 


On Thu, 27 Feb 2003, Dave Sherohman wrote:

> On Wed, Feb 26, 2003 at 05:42:43PM -0800, Alvin Oga wrote:
> > and if i was admining your box... i'd "chmod 750 /sbin /usr/sbin"
> > and hide/remove root passwds so that i can sleep late or wont be
> > paged because something broke
> 
> ...which, even if it doesn't break things (like another poster's
> mention of pon/pppd), doesn't seem like it would do any good.  Even
> ignoring the possibility of users building/copying their own version
> of the binaries in (/usr)?/sbin (since this can be prevented by
> having all user-writable filesystems mounted noexec - although this
> isn't an option if you have developers on the box), there's still the
> little detail that, in order to get them to do anything harmful, you
> need root privileges.  And once an attacker is root, the 750
> permissions won't stop him anyhow.  It only protects against people
> who can't do any harm in the first place.

you're assuming outside attackers .

i'm simply trying to prevent users from screwing up the lan and network
and machines rendering it useless due to silly "admin mistakes" 
        - i dont like the 8am phone calls that foo server is dead
        or any of such phone calls ... "newbie admin mistakes" are 100%
        avoidable or more likely, "everybody" wants to make their stuff
        work and in the process break somebody else's stuff

- if a user knows how to gain root access ... fine ... there is a
  predefined process and proceedure in place for that
        - namely, send email to the "admin held accountable" and all 
        the admin team that "foo server" was changed for this-n-that
        reason so that if something else braks, we know what changed

        - no sense of documentations of changes implies they dont need
        root passwd or similar priviledges

- its a network and host security policy issue within the lan itself

- am not as worried about outside script kiddies 

- just my "sleep preservation" rules   .. and i get worst if i'm up
  24-48hrs due to somebody elses mistakes ... :-)

        -- "chmod -R 700 /home/*" as initially posted  is one of those
        that will have that dude fired   if they went around
        network security on a production network and made such ridiculous
        changes

        -- there are "play networks" that newbies can play with and learn 
        from .. but NOT on a production network
        - watching mistakes occur can be fun in a "safe environment"

c ya
alvin



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to