Hi Mithrilhall,

What you need to do is audit your system permissions. Make certain that
the "all" permissions are very restrictive. Here is an example:

/home

drwxr-x--x   15 root     adm          4096 Feb 14 01:53 ./
drwxr-x--x   21 root     adm          1024 Feb  9 01:18 ../
drwx------    5 admin    admin        4096 Feb  1 05:23 admin/
drwx------    4 usr1     usr1         4096 Feb  1 05:30 usr1/
drwx------    4 usr1$    usr1$        4096 Feb  9 00:26 usr1$/
drwx------    4 usr2     usr2         4096 Feb  1 05:30 usr2/
drwx------    4 usr2$    usr2$        4096 Feb  9 00:26 usr2$/

Here we can see that usr1 can only browse their home share while usr2
cannot see usr1's share. A good start is to move your system to msec
level 4 or 5 after reviewing the documents in:


/usr/share/doc/msec-xx

Do Not forget that msec lvl 4+ introduces the ctools, ntools and xgrp
group to restrict access to key files including ping and top/ps. Once
the permissions are sanely set, then you need not worry about the
anonymous user (assuming that the anonymous user cannot obtain r00t via
your FTP, IMAP, etc. server). I would strengthen permissions on the home
directories so that each user's home is "chmod 700" or only readable,
writable or executable by that user. Please remember that some files in
/etc MUST be world-readable but individual home dirs, mailspools, etc.
should not be group- or world- readable. 

You may also want to investigate creating a chroot jail for various
services, but remember that a good cracker can break out of a chroot
jail if the right tools are available.

P.S. to alter the home permissions you may want to:

Chmod 700 /home/*

Or similar.

HTH,

Sam Stern
Bethesda, MD, USA


> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]] On Behalf Of Mithrilhall2000

> 
> What I really want to do is make every directory 
> non-browse-able to the user anonymous. I want anonymous to 
> only be able to browse its home directory. So I guess I would 
> like to also change all subdirectories and the files within 
> them as well.
> 
> Something like:
> 
> chgrp -R anonymous /etc/
> 
> Now the only problem I have is I don't know what's going on 
> with a command like this. What would this (or whatever would 
> be correct) do?
> 
> Again, thanks for your time.
> Mithrilhall
> 


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to