On Sun, Feb 03, 2002 at 12:14:38PM +0000, xs@kittenz.org wrote:
> > But only administrator or operator should do that.
> > I think it's better to make special group for that and (as it would be run
> > manually) make one df without suid and another with suid.
> > The second one will have perms r-sr-x---, and will be in group operator.
>
> I would still like any user to be able to df a mounted filesystem,
> and your suggested permissions give df more privileges than it already has.
> It's not setuid root, only setgid operator.

oh.
I see that writing before breakfast is not good idea. :)
df without suid works well.

> Well, dump works (mostly) without any special privileges, so there
> isn't any real reason to restrict it to operator, imho.
> Plus restricting it to operator and keeping it setgid tty sounds like
> something that would make someone cry "give me ACLs!"

Have you got any users using dump ?

> It would be nice to have a good security vs. usability balance in the default
> install.

... like in linux ? :)

> Couldn't mtree -U be used to do all of this? This would have the advantage
> of also spotting when permissions strayed away from the hardened defaults.
> And you could include checksums too..

I just started working on it week ago,
and I'm trying now to run NetBSD on IDE disk of our mac68k.
Using mtree is a good idea.

> Edit /etc/newsyslog.conf and remove the aculog entry

When we're talking about defaults - old wtmp files shouldn't be gzipped,
because last can't read them.
What users have to find in /var/log/messages ?

> chgrp users: /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/batch
>              /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh /usr/bin/crontab
>              /usr/bin/lock /usr/bin/skeyinfo /usr/bin/skeyinit
>              /usr/bin/passwd

I think, that making new groups for some of bin's is good idea.
For example we could make group ,,jobs'' and chgrp jobs /usr/bin/at
/usr/bin/atq /usr/bin/atrm /usr/bin/batch /usr/bin/crontab,
so that only people in that group could use that.
That files could have setuid bits, but then when there's a bug only people
from that group could use it.

> Edit /etc/mailer.conf to use postfix
> mkdir /var/spool/postfix/etc
> chmod 755 /var/spool/postfix/etc
> cd /etc ; cp localtime services resolv.conf /var/spool/postfix/etc
> chroot everything except pickup, qmgr and local in /etc/postfix/master.cf
> Add postfix=YES to /etc/rc.conf
> /etc/rc.d/postfix start

We should also make named not running as root by default.

> Run find / \( -perm -04000 -o -perm -02000 \) -exec ls -ld {} \; to see
> If I missed anything.
> Run find / -perm -00002 -exec ls -ld {} \; and remove as many
> world writable directories as is acceptable.

What about using ~/tmp ?
It's more secure.

> mount /, /var and /tmp (if it's on a seperate filesystem to /)
> with options nosuid and nocoredump

and /home with noexec ? :)

-- 
Wojciech Bojdoł
High-Tech Consulting