Re: Newbie administrator - chmod

To: Dave Sherohman <esper@sherohman.org>
Cc: debian-user@lists.debian.org
Subject: Re: Newbie administrator - chmod
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Thu, 27 Feb 2003 10:27:39 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1030227101758.18426A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20030227172157.GF7823@sherohman.org>


On Thu, 27 Feb 2003, Dave Sherohman wrote:

> On Wed, Feb 26, 2003 at 05:42:43PM -0800, Alvin Oga wrote:
> > and if i was admining your box... i'd "chmod 750 /sbin /usr/sbin"
> > and hide/remove root passwds so that i can sleep late or wont be
> > paged because something broke
> 
> ...which, even if it doesn't break things (like another poster's
> mention of pon/pppd), doesn't seem like it would do any good.  Even
> ignoring the possibility of users building/copying their own version
> of the binaries in (/usr)?/sbin (since this can be prevented by
> having all user-writable filesystems mounted noexec - although this
> isn't an option if you have developers on the box), there's still the
> little detail that, in order to get them to do anything harmful, you
> need root privileges.  And once an attacker is root, the 750
> permissions won't stop him anyhow.  It only protects against people
> who can't do any harm in the first place.

you're assuming outside attackers .

i'm simply trying to prevent users from screwing up the lan and network
and machines rendering it useless due to silly "admin mistakes" 
	- i dont like the 8am phone calls that foo server is dead
	or any of such phone calls ... "newbie admin mistakes" are 100%
	avoidable or more likely, "everybody" wants to make their stuff
	work and in the process break somebody else's stuff

- if a user knows how to gain root access ... fine ... there is a
  predefined process and proceedure in place for that
	- namely, send email to the "admin held accountable" and all 
	the admin team that "foo server" was changed for this-n-that
	reason so that if something else braks, we know what changed

	- no sense of documentations of changes implies they dont need
	root passwd or similar priviledges

- its a network and host security policy issue within the lan itself

- am not as worried about outside script kiddies 

- just my "sleep preservation" rules   .. and i get worst if i'm up
  24-48hrs due to somebody elses mistakes ... :-)

	-- "chmod -R 700 /home/*" as initially posted  is one of those
	that will have that dude fired   if they went around
	network security on a production network and made such ridiculous
	changes

	-- there are "play networks" that newbies can play with and learn 
	from .. but NOT on a production network
	- watching mistakes occur can be fun in a "safe environment"

c ya
alvin

Reply to:

Follow-Ups:
- Re: Newbie administrator - chmod
  - From: Dave Sherohman <esper@sherohman.org>

References:
- Re: Newbie administrator
  - From: Dave Sherohman <esper@sherohman.org>

Prev by Date: RE: mistypes IP-address
Next by Date: Re: mistypes IP-address
Previous by thread: Re: Newbie administrator
Next by thread: Re: Newbie administrator - chmod
Index(es):
- Date
- Thread