Subject: | |
From: | |
Reply To: | |
Date: | Sat, 10 May 1997 01:36:58 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Bob Walker wrote:
> Make sure if you create /usr/local it has security 777.
No! No! No! Run away! Run away! Run away!
This will make a very significant directory world-writeable, which is
essentially setting up an account/group with access=(r,a,w,l,x,s:any).
You really, really, really don't want to do this (I'd add some more
exclamation marks, but I just exhausted my monthly quota above).
It's little quirks like this that cause many Un*x security problems.
For MANAGER.SYS especially, and other users in general, I would strongly
suggest that you set umask = 077 in /etc/profile or ~/.profile. This
results in all your files being created which only you have access to
*unless* you specify otherwise with a chmod. (or umask 007 if you trust
other users of your account). Posix permissions override "some" of the
default MPE security issues of traditional account/group ACCESS= parms.
Just because a user has no access to the containing MPE group doesn't
protect any HFS directories created beneath it (or in the /usr/local
case, it is totally irrelevant to SYS ACCESS= parms since root-created
HFS dirs don't belong to any account/group).
Jeff Kell <[log in to unmask]>
|
|
|