Using proper file permissions and setting group's accordingly can allow
you to limit who has access to what. Say you only want people who are in
group staff to have the ability to execute the compiler and linker's etc.
You would chmod the file's so only the owner, and group could execute them,
change the group to 'staff'(staff has to be in /etc/group btw) make sure
everybody you want to be able to execute the program is either group staff,
or has an entry in /etc/group. You can go through your whole system and
setup levels of permissions, and then change the permissions and group's
accordingly allowing who you want to have access to what you want.
Remember also that, for an example, people could be a member of staff, and
also openwin(a group made up so that only people in it could execute and/or
read/write files that have to deal with X11(or whatever X system you run.)
Their are ways to get around everything, wether high end firewalls, or low
end web servers, to have the greatest amount of protection you should
implement it from the top and work all the way to the bottom. Remember
your only secure as your network's weakest point. However if any of the
accounts that have access to the compilers, etc. are compromised their is
nothing stopping the person from running the programs that they have access
Robert Augustine Networking dresden.
4045 Loch Highland Pass Programming com
Roswell, GA 30075 Security
P:(770)642-8569 robert @
From: Sameer R. Manek <manek @
To: Greg Witte <gwitte @
Cc: 'firewalls @
com' <firewalls @
Date: Wednesday, June 11, 1997 9:30 PM
Subject: Securing down a box for a firewall
>I'm curious what is considered striping down a box? I can understand the
>obvious stuff like /usr/games, and maybe a few binaries in /bin and
>/usr/bin, along with most setuid binaries. Possibly even remove the
>compiler, though compiling on an alternate box is real easy. So what can
>be done? top strip it down?