Re: FreeBSD 6.3-PRERELEASE unable to change file permission

Mon, 03 Dec 2007 13:28:32 -0800 


On Mon, 3 Dec 2007, Anjang Aki wrote:
hi!.. i'm not able to change file permission to disable rlogin and login on my box even as root 

# ls -lo /usr/bin/login /usr/bin/rlogin
-r-sr-xr-x  1 root  wheel  schg 19996 Dec  1 13:04 /usr/bin/login
-r-sr-xr-x  1 root  wheel  schg 10140 Dec  1 13:04 /usr/bin/rlogin

# chflags -R nouchg login rlogin
chflags: /usr/bin/login: Operation not permitted
chflags: /usr/bin/rlogin: Operation not permitted

# chmod a=rx /usr/bin/login /usr/bin/rlogin
chmod: /usr/bin/login: Operation not permitted
chmod: /usr/bin/rlogin: Operation not permitted
it makes me uneasy as my users can still use login and rlogin to gain access to the box
Others have already addressed the chflags issue, but there's a larger concern here.
First off, 'rlogin' is the client, not the server for the rlogin protocol, so chmodding the file limits the ability to rlogin *from* your system, not rlogin *to* your system. The ability to login via rlogin is controlled via inetd.conf, which enables or disables the rlogind daemon. By default we neither run inetd nor rlogind, and even if you enable inetd, you still need to also enable rlogind explicitly. Probably for the reasons you have in mind.
Second, I'm not sure what you're trying to do by disabling 'login', but keep in mind that 'login' is used on the console to allow login to the system on the console, so you may lock yourself out of the console if you disable it. On the other hand, 'login' is *not* used for sshd, so if your goal is to deny network access, it won't have that effect.
In general, what you want to do to prevent login over the network is not enable network services that allow remote login -- sshd, telnetd, rlogind, ftpd, etc. By default, we disable all those services. You can look in a combination of /etc/rc.conf and /etc/inetd.conf to see what is enabled. 

Robert N M Watson
Computer Laboratory
University of Cambridge



my system:
# uname -a
FreeBSD k3.college.edu 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1: Sun
Dec  2 18:51:02 MYT 2007     [EMAIL PROTECTED]:/usr/obj/usr/src/sys/EDU
i386

thanks for advice

--
-- Anjang Aki --
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to