[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

tiger reports

Is anyone else using the 'tiger' security-checking tool? Mine is giving
me some reports that I'm not sure how to deal with. Here they are:

  # Performing check of system file permissions...
  --FAIL-- [perm007f] /etc/aliases should not have group read.
  --WARN-- [perm003w] /etc/fstab should not have group read.
  --WARN-- [perm003w] /etc/fstab should not have world read.
  --WARN-- [perm012w] /etc/inetd.conf should not have group read.
  --WARN-- [perm012w] /etc/inetd.conf should not have world read.
  --WARN-- [perm017w] /var/run/utmp should not have group write.

When I first got this, I tried removing group/world read from
/etc/aliases, but then my email delivery completely failed. /etc/aliases
is owned by root.root, but exim, I believe, runs as the user "mail". So
one thought is that I could chown /etc/aliases to mail.mail with
permission 600. But will that cause other problems?

If /etc/fstab is not world-readable, will users still be able to mount
things? Without having to supply all the details of what to mount where,
using what filesystem?

  # Performing signature check of system binaries...
  --ERROR-- [init001e] Don't have required command SNEFRU.

WTF is "snefru", and where can I get it? There's no Debian package by
that name.

  # Performing check of anonymous FTP...
  --WARN-- [ftp006w] Anonymous FTP enabled, but directory does not exist. 

How can anonymous FTP be enabled when I have no FTP server installed?

  # Performing check of passwd files...
  --WARN-- [pass002w] UID 0 exists multiple times in /etc/passwd. 

This is true; there is "root" and "sashroot", but with UID 0. Is this a
problem?

The last complaint from tiger, which I will not quote here, is that it
thinks nearly every account in /etc/passwd is "disabled, but still has a
valid shell". This is just plain wrong, since if it were true that my
personal account was disabled, I wouldn't be using it right now. But
that aside, what should be the shell for a disabled account? /bin/false?
And what kinds of accounts should be disabled? Is the point of having a
disabled account that although you can't log in to that account, daemons
can still start as root and then switch to a disabled account? In which
case, does the shell entry in /etc/passwd matter?

Craig
Reply to: