Re: Tiger warnings - reaction advice requested
On Tue, 20 Aug 2002, Johannes Graumann wrote:
> Hello,
>
> Tiger run for the first time last night on my newly installed DEBox.
> Amongother messages I got the following statements:
> # Checking accounts from /etc/passwd.
> --WARN-- [acc001w] Login ID nobody is disabled, but still has a valid
> shell (/bin/sh).
> --WARN-- [acc006w] Login ID mail's home directory (/var/mail) has group
> `mail' write access.
> --WARN-- [acc006w] Login ID nobody's home directory (/home) has group
> `staff' write access.
>
> I'm new to the business of system administration and not quite shure on
> how to react to this. A 'chmod'-variety for the first and last? Also: what
> is this 'nobody' user? Program/demon specific? Can I, should I get rid of
> it?
Nobody is necessary, AFAIK. I know that Apache as compiled from source
with defaults runs as nobody. As far as its shell, you should be able to
change it to /bin/false with no ill effects.
/var/mail needs to have group mail write access. /home can be changed,
unless you want to permit normal users in the "staff" group to manage user
home directories, instead of just root.
>
> Tiger also complained that
> /sbin/bastille-firewall-reset
> /sbin/bastille-firewall-schedule
> /sbin/bastille-ipchains
> /sbin/bastille-netfilter
> are not supposed to be present - but after 'bastille' setup they are
> supposed to be here. How do I teach this to tiger? I suppose it is doable
> with those 'templates'? Have found no documentation on what that is/how
> itworks/how to set it up and would greatly appreciate any hint concerning
> this.
sorry, i'm not a tiger user myself...
>
> Thank you, Johannes
>
>
>
--
Scotty: Captain, we din' can reference it!
Kirk: Analysis, Mr. Spock?
Spock: Captain, it doesn't appear in the symbol table.
Kirk: Then it's of external origin?
Spock: Affirmative.
Kirk: Mr. Sulu, go to pass two.
Sulu: Aye aye, sir, going to pass two.
Reply to: