on Sun, Feb 03, 2002 at 02:32:20PM +0100, Wojciech Bojdol wrote:
> Have you got any users using dump ?

nope! But dump works without setgid tty, and so could easily be installed
by any one of them if they wanted it. Why waste space by making them do that?

> > It would be nice to have a good security vs. usability balance in the
> > default install.
> 
> ... like in linux ? :)

The list I have for making linux satisfactory is longer than the one for
NetBSD, and includes the mess of trying to locate current patches and 
tarballs (eg, free s/wan)

> > Edit /etc/newsyslog.conf and remove the aculog entry
> 
> When we're talking about defaults - old wtmp files shouldn't be gzipped,
> because last can't read them.
> What users have to find in /var/log/messages ?

wtmp files can get *huge* quickly, and compress quite well. Also probably
only get viewed rarely once they are archived. Better to save space
than save a few key presses on a rare occasion.

> > chgrp users: /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/batch
...
> 
> I think, that making new groups for some of bin's is good idea.
> For example we could make group ,,jobs'' and chgrp jobs /usr/bin/at
> /usr/bin/atq /usr/bin/atrm /usr/bin/batch /usr/bin/crontab,
> so that only people in that group could use that.
> That files could have setuid bits, but then when there's a bug only people
> from that group could use it.

The idea behind chgrp'ing to users is that daemons (eg, httpd) and so on
are not a member of the users group, and so shouldn't be able to
set a password on their account, play with at/crontab, etc.

This is a very site specific setting. Eg: it breaks on a system
where passwd is used via a web interface or where pppd runs at.
This is a kludge I use on a gateway to get around a 2 hourly ISP disconnect
that gives me no notification. (It just stops routing packets)

> We should also make named not running as root by default.

and chrooted, agreed. I think it does in -current. An MTA is pretty
much required by the default crontab, which is why I include switching
to postfix.
It should (I think) also be possible to chroot apache, and allows perl/php
to work (using nullfs/umapfs)

> > Run find / \( -perm -04000 -o -perm -02000 \) -exec ls -ld {} \; to see
> > If I missed anything.
> > Run find / -perm -00002 -exec ls -ld {} \; and remove as many
> > world writable directories as is acceptable.
> 
> What about using ~/tmp ?
> It's more secure.

Not everything will listen to $TMPDIR.
Symlinking ~user/tmp to /tmp/users/user, where /tmp/users is recreated
each boot might be worth doing in some case. (I do something similar with mfs)

> > mount /, /var and /tmp (if it's on a seperate filesystem to /)
> > with options nosuid and nocoredump
> 
> and /home with noexec ? :)

IMHO, that's a tiny bit too far. I like filling ~/bin and developing
software under ~. /home could be nosuid and /tmp could be noexec.
I think a noexec /tmp might break something though.