Re: tiger reports
On Fri, Sep 21, 2001 at 10:05:20AM -0700, Craig Dickson wrote:
> If /etc/fstab is not world-readable, will users still be able to mount
> things? Without having to supply all the details of what to mount where,
> using what filesystem?
Users can't mount things by supplying all details of from where/to
where/fs type. They can still mount/unmount with /etc/fstab mode
600, since mount is suid root, but they can't look in fstab for a
list of what's mountable.
> # Performing check of anonymous FTP...
> --WARN-- [ftp006w] Anonymous FTP enabled, but directory does not exist.
>
> How can anonymous FTP be enabled when I have no FTP server installed?
Is a config file present in /etc?
> # Performing check of passwd files...
> --WARN-- [pass002w] UID 0 exists multiple times in /etc/passwd.
>
> This is true; there is "root" and "sashroot", but with UID 0. Is this a
> problem?
It can potentially make superuser access easier to crack unless both
accounts have strong passwords. More generally, I suspect that this
is flagged because it could indicate that your system has been
compromised and an illicit superuser has been created.
> The last complaint from tiger, which I will not quote here, is that it
> thinks nearly every account in /etc/passwd is "disabled, but still has a
> valid shell". This is just plain wrong, since if it were true that my
> personal account was disabled, I wouldn't be using it right now.
Sounds like tiger doesn't know about shadow passwords. I would have
little trust for a security audit performed by anyone who doesn't
understand that, on a system using shadow, all accounts in
/etc/passwd look like they would if disabled on a non-shadow
system...
> that aside, what should be the shell for a disabled account? /bin/false?
That's probably the most common choice.
--
When we reduce our own liberties to stop terrorism, the terrorists
have already won. - reverius
Reply to: