Hi Mithrilhall, What you need to do is audit your system permissions. Make certain that the "all" permissions are very restrictive. Here is an example:
/home drwxr-x--x 15 root adm 4096 Feb 14 01:53 ./ drwxr-x--x 21 root adm 1024 Feb 9 01:18 ../ drwx------ 5 admin admin 4096 Feb 1 05:23 admin/ drwx------ 4 usr1 usr1 4096 Feb 1 05:30 usr1/ drwx------ 4 usr1$ usr1$ 4096 Feb 9 00:26 usr1$/ drwx------ 4 usr2 usr2 4096 Feb 1 05:30 usr2/ drwx------ 4 usr2$ usr2$ 4096 Feb 9 00:26 usr2$/ Here we can see that usr1 can only browse their home share while usr2 cannot see usr1's share. A good start is to move your system to msec level 4 or 5 after reviewing the documents in: /usr/share/doc/msec-xx Do Not forget that msec lvl 4+ introduces the ctools, ntools and xgrp group to restrict access to key files including ping and top/ps. Once the permissions are sanely set, then you need not worry about the anonymous user (assuming that the anonymous user cannot obtain r00t via your FTP, IMAP, etc. server). I would strengthen permissions on the home directories so that each user's home is "chmod 700" or only readable, writable or executable by that user. Please remember that some files in /etc MUST be world-readable but individual home dirs, mailspools, etc. should not be group- or world- readable. You may also want to investigate creating a chroot jail for various services, but remember that a good cracker can break out of a chroot jail if the right tools are available. P.S. to alter the home permissions you may want to: Chmod 700 /home/* Or similar. HTH, Sam Stern Bethesda, MD, USA > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Mithrilhall2000 > > What I really want to do is make every directory > non-browse-able to the user anonymous. I want anonymous to > only be able to browse its home directory. So I guess I would > like to also change all subdirectories and the files within > them as well. > > Something like: > > chgrp -R anonymous /etc/ > > Now the only problem I have is I don't know what's going on > with a command like this. What would this (or whatever would > be correct) do? > > Again, thanks for your time. > Mithrilhall >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
