I haven't tested this, but you can make it owned by root user & root group.
Then remove other read, write & execute permissisons.Code:ls -l `which write` chown root.root `which write`That should do it.Code:chmod o-rwx `which write`
I have to remove write from my knoppix-installered LAN. My students recently discovered write and are passing notes during class....
How do I remove it or turn it off. In older version of KNOPPIX it was off and root had to trun it on. BTW, I'm using KNOPPIX 3.9 on these PCs.
Regards,
AJG
I haven't tested this, but you can make it owned by root user & root group.
Then remove other read, write & execute permissisons.Code:ls -l `which write` chown root.root `which write`That should do it.Code:chmod o-rwx `which write`
OK, here's what I got:
Wow, look at all those symbolic links! So, root already owns write, do I just limit the permissions on /usr/bin/bsd-write?Code:root@CentauriPrime:~# which write /usr/bin/write root@CentauriPrime:~# ls -l /usr/bin/write lrwxrwxrwx 1 root root 23 May 11 12:54 /usr/bin/write -> /etc/alternatives/write root@CentauriPrime:~# ls -l /etc/alternatives/write lrwxrwxrwx 1 root root 18 May 11 12:52 /etc/alternatives/write -> /usr/bin/bsd-write root@CentauriPrime:~# ls -l /usr/bin/bsd-write -rwxr-sr-x 1 root tty 7992 Nov 1 2004 /usr/bin/bsd-write root@CentauriPrime:~#
In other words, as root, I don't have to
but, as root, I do have toCode:chown root.root /usr/bin/bsd-write
BTW, as root, isn't this the same as:Code:chmod o-rwx /usr/bin/bsd-write
BTW, what does -rwxr-sr-x mean?Code:chmod 700 /usr/bin/bsd-write
TIA,
AJG
Not really. I intended to use o-rwx so that other (anyone not root) could not even run or copy the write binary. -rwxrwxrwx is 777. So a o-rwx would make it -rwxrwx---. A 700 would make it -rwx------ so that members of root group other than the root user could not access the write binary.Originally Posted by A. Jorge Garcia
The set GUID bit.BTW, what does -rwxr-sr-x mean?
http://www.zzee.com/solutions/unix-p..._14_1077830297http://www.puschitz.com/SecuringLinux.shtmlSGID If set, then replaces "x" in the group permissions to "s", if group has execute permissions, or to "S" otherwise. Examples:
-rwxrws--- both group execute and SGID are set
-rwxr-S--- SGID is set, but group execute is not sethttp://www.experts-exchange.com/Secu..._21398469.htmlSUID/SGID Files
When the SUID (set user ID) or SGID (set group ID) bits are set on an executable, it executes with the UID or GID of the owner of the executable rather than that of the person executing it. This means that e.g. all executables that have the SUID bit set and are owned by root are executed with the UID of root. A good example is the passwd command that allows ordinary users to update the password field in the /etc/shadow file which is owned by root.
But SUID/SGID bits can be misused when the SUID/SGID executable has a security hole. Therefore, you might want to search the entire system for SUID/SGID executables and document it. For example, ensure that code developers don't set SUID/SGID bits on their programs if it's not an absolute requirement. Very often you can use workarounds like removing just the executable bit for world/others. However, a better approach is to change the design of the software if possible.
To search the entire system for SUID or SGID files, you can run the following command:
find / -path /proc -prune -o -type f -perm +6000 -ls
The -prune option in this example is used to skip the /proc filesystem.There are times when setuid/setgid is either necessary or useful for a program. E.g. if you want a user to be able to access a CD-Recorder device thru software that has built-in access restrictions; the device needs to be accessed as root, but you don't want to give the user root access. IF the software is specifically designed to be operated setuid root, then this should be safe. sudo is an excellent utility, but some software just needs elevated privileges to function properly, and use of sudo should not be generically required or considered a replacement for setuid/setgid.
Directories that have the sticky bit set are to assign proper permissions to files automatically. Removing the sticky bit on directories will not improve security. It can be a good idea to remove setuid/setgid bits from programs which you know will not need to be run by non-root users on a server, or where you wish to restrict it to specific users via sudo... this is advantageous to security ONLY on the presumption that there may in fact be security flaws in these programs that could be exploited in the future. The same argument serves for disabling services which are not needed.
Wow, this permissions stuff and all these links are getting complicated!
OK, so all I have to do, as root, is:
right?Code:chown root.root /usr/bin/bsd-write chmod o-rwx /usr/bin/bsd-write
I'm sorry to be so obtuse about this, but this is my school server and I'm not too familiar with the proceedure you suggest, so I'm being extra careful not to muck it all up....
Thanx,
AJG
I would not do thisand instead just do thisCode:chown root.root /usr/bin/bsd-writeThen open up two terminal windows. In each become a student.Code:chmod o-rwx /usr/bin/bsd-writeThen try to use the write program. If it fails, then obviously there is nothing left to do. If it still works, then perhaps more permissions need to be reduced.Code:su - student1 su - student2
OK, I logged-in to my school sever from home (sick day today) via ssh as root as follows:
and then as me (Mr. G) as follows:Code:root@CentauriPrime:~# chmod o-rwx /usr/bin/bsd-write root@CentauriPrime:~# write usage: write user [tty]
so it would seem that we have been successful!Code:mrg@CentauriPrime:~$ write -bash: /usr/bin/write: Permission denied
Thanx again, James, for all your guidance!
Regards,
AJG
Vintage Cardco Vic-20, C64, C16, and C128 Parallel Printer Interface Card - New
$19.99
Vintage Microsoft Office 2000 Premium 4 CDs + Product Keys + Service Pack CD
$59.99
Vintage CARDCO Vic-20 C64 +4 C16 and C128 Parallel Printer Interface Card - QTY
$19.99
Intel Pentium A80502-166 Vintage CPU | UNTESTED - READ DESCRIPTION
$19.55
(5) Vintage DiskBank floppy Disk Storage Holders Vintage
$29.95
ROCKWELL SCIENTIFIC SLIDE RULE 31R CALCULATOR VINTAGE UNTESTED
$24.24
Vintage Apple Macintosh Powerbook 190 Series M3047 Laptop Parts/Repair
$69.00
Rare Vintage Burroughs Computer Data Processing Tape Approx 2500 Ft
$59.99
Vintage Intel UPI-41 Universal Peripheral Interface User's Manual
$24.99
Vintage 1986 IBM 1389262 Model M buckling spring terminal keyboard -1 keycap
$150.00