tiger reports
Is anyone else using the 'tiger' security-checking tool? Mine is giving
me some reports that I'm not sure how to deal with. Here they are:
# Performing check of system file permissions...
--FAIL-- [perm007f] /etc/aliases should not have group read.
--WARN-- [perm003w] /etc/fstab should not have group read.
--WARN-- [perm003w] /etc/fstab should not have world read.
--WARN-- [perm012w] /etc/inetd.conf should not have group read.
--WARN-- [perm012w] /etc/inetd.conf should not have world read.
--WARN-- [perm017w] /var/run/utmp should not have group write.
When I first got this, I tried removing group/world read from
/etc/aliases, but then my email delivery completely failed. /etc/aliases
is owned by root.root, but exim, I believe, runs as the user "mail". So
one thought is that I could chown /etc/aliases to mail.mail with
permission 600. But will that cause other problems?
If /etc/fstab is not world-readable, will users still be able to mount
things? Without having to supply all the details of what to mount where,
using what filesystem?
# Performing signature check of system binaries...
--ERROR-- [init001e] Don't have required command SNEFRU.
WTF is "snefru", and where can I get it? There's no Debian package by
that name.
# Performing check of anonymous FTP...
--WARN-- [ftp006w] Anonymous FTP enabled, but directory does not exist.
How can anonymous FTP be enabled when I have no FTP server installed?
# Performing check of passwd files...
--WARN-- [pass002w] UID 0 exists multiple times in /etc/passwd.
This is true; there is "root" and "sashroot", but with UID 0. Is this a
problem?
The last complaint from tiger, which I will not quote here, is that it
thinks nearly every account in /etc/passwd is "disabled, but still has a
valid shell". This is just plain wrong, since if it were true that my
personal account was disabled, I wouldn't be using it right now. But
that aside, what should be the shell for a disabled account? /bin/false?
And what kinds of accounts should be disabled? Is the point of having a
disabled account that although you can't log in to that account, daemons
can still start as root and then switch to a disabled account? In which
case, does the shell entry in /etc/passwd matter?
Craig
Reply to: