Re: Newbie administrator - chmod
On Thu, 27 Feb 2003, Dave Sherohman wrote:
> On Wed, Feb 26, 2003 at 05:42:43PM -0800, Alvin Oga wrote:
> > and if i was admining your box... i'd "chmod 750 /sbin /usr/sbin"
> > and hide/remove root passwds so that i can sleep late or wont be
> > paged because something broke
>
> ...which, even if it doesn't break things (like another poster's
> mention of pon/pppd), doesn't seem like it would do any good. Even
> ignoring the possibility of users building/copying their own version
> of the binaries in (/usr)?/sbin (since this can be prevented by
> having all user-writable filesystems mounted noexec - although this
> isn't an option if you have developers on the box), there's still the
> little detail that, in order to get them to do anything harmful, you
> need root privileges. And once an attacker is root, the 750
> permissions won't stop him anyhow. It only protects against people
> who can't do any harm in the first place.
you're assuming outside attackers .
i'm simply trying to prevent users from screwing up the lan and network
and machines rendering it useless due to silly "admin mistakes"
- i dont like the 8am phone calls that foo server is dead
or any of such phone calls ... "newbie admin mistakes" are 100%
avoidable or more likely, "everybody" wants to make their stuff
work and in the process break somebody else's stuff
- if a user knows how to gain root access ... fine ... there is a
predefined process and proceedure in place for that
- namely, send email to the "admin held accountable" and all
the admin team that "foo server" was changed for this-n-that
reason so that if something else braks, we know what changed
- no sense of documentations of changes implies they dont need
root passwd or similar priviledges
- its a network and host security policy issue within the lan itself
- am not as worried about outside script kiddies
- just my "sleep preservation" rules .. and i get worst if i'm up
24-48hrs due to somebody elses mistakes ... :-)
-- "chmod -R 700 /home/*" as initially posted is one of those
that will have that dude fired if they went around
network security on a production network and made such ridiculous
changes
-- there are "play networks" that newbies can play with and learn
from .. but NOT on a production network
- watching mistakes occur can be fun in a "safe environment"
c ya
alvin
Reply to: