Re: rwxr-xr-x /root
How about something akin to the FreeBSD new "securelevel"? Basically a
one time setup metric of how secure the sysop wants to be. 0 allows
rhosts and XDMCP, while high (5? 10?) closes all outside ports by default,
sets passwords on everything that it's possible to set a password on,
makes nothing SUID, and sets a paranoid umask like 700. This will solve
the "why isn't $favorite_paranoid_security_setting enabled by
default?" stuff that's been floating around as of late (the umask thread,
the MBR/lilo thread here and on bugtraq...), or at least puts the onus
back on the individual sysop--"well it's in securelevel foo: if you're
THAT paranoid, why aren't you using it?"
On Mon, 13 Nov 2000, Bill Jennings wrote:
> It seems to me that there should be a "global" decision made
> when the system is insatlled between:
>
> 1. This computer should be more OPEN than SECURE.
> 2. This computer should be more SECURE than OPEN.
>
> Subsequently installed/configured security-conscious
> packages can be guided by this "global" setting.
>
> My $.02
>
> Bill Jennings
> Oronet
>
>
> On Mon, Nov 13, 2000 at 09:11:35AM -0500, H. S. Teoh wrote:
>
> > On Mon, Nov 13, 2000 at 03:01:09PM +0100, Miros/law `Jubal' Baran wrote:
> > > 13.11.2000 pisze Roland Bauerschmidt (rb@debian.org):
> > >
> > > > Ok, I'll leave it at 755. If somebody wants something different, he can
> > > > always change it.
> > >
> > > Maybe it should ask the administrator, when installed first time? (with
> > > default set to 755)?
> > [snip]
> >
> > Yes! Good idea! When you can't decide on something, ask. That's the best
> > approach, IMHO. :-)
>
>
>
--
There is an old saying that if a million monkeys typed on a million
keyboards for a million years, eventually all the works of Shakespeare
would be produced. Now, thanks to Usenet, we know this is not true.
Who is John Galt? galt@inconnu.isu.edu, that's who!
Reply to: