Hi, On Thu, Mar 28, 2024 at 12:22:57PM -0400, Lee wrote: > For heavens sake, the man page says > > Traditionally, write access is allowed by default. However, as users > become more conscious of various security risks, there is a trend to > remove write access by default, at least for the primary login shell. > To make sure your ttys are set the way you want them to be set, mesg > should be executed in your login scripts. > > Clearly at least the man page writer realized there was a threat there > _and chose not to remove the threat_ !?
For context, that was likely written by someone a decade or more ago, someone who did not have responsibility for any other part of Linux. Since that time even the parts that were in charge of setting terminal permissions might have changed implementation and maintainers several times. It's not that they chose not to keep the rest of the system consistent with their opinion, it's more likely that they could not. Documentation and integration is perpetually out of date in Linux. Also no one can agree on which documentation is canonical, and very few people read any of it. I'm just as guilty as anyone: having no use for "wall" or "mesg" for decades, I hadn't read its man page and didn't notice that terminals were group-writeable. > Is there really nothing better than sudo find / <something to show > files with uid or gid perms> and try to figure out which of those > program are not necessary? I don't think there is, no. After finding each of those things you would need to do some research on each one. Those that are particularly worrisome probably already do have some notes somewhere. > $ sudo crontab -l > ... > 47 4 * * * (apt update >> apt-update.log 2>/dev/null) && \ > (apt list --upgradable 2>/dev/null |\ > egrep -v '^Listing' >| /etc/motd) You may like to look in to "apticron-systemd" for a systemd timer that does the above. (drop the "-systemd" if you prefer a cron job equivalent) apticorn is mentioned in the Debian Administrator's Handbook which is worth a read even though it only covers up to Debian 11. https://www.debian.org/doc/manuals/debian-handbook/sect.regular-upgrades.en.html Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting