Greg Hinkel's UNIX Tip of the Week for May 19, 1996
Some "user level" security issues.
Here's some things that every user should do to help keep systems secure.
PASSWORDS
NEVER share your password with anyone!!!!
NEVER leave your password written down where someone can see it - that includes
in a file on any system.
You may think that it doesn't matter if someone logs into your account cause
"you don't have anything important." However, the folks with the black hats
like to get in as any user and then exploit holes in the operating system.
Pick hard to guess passwords and change it at least once a year.
Encourage (or insist) that your site use one-time passwords.
PATH
Setup your path (or PATH) variable such that system directories are searched
before the "current" directory or any personal directories. System directories
vary between different operating systems. Here's what I use for some different
systems (examples are for C Shell - extracted from my .cshrc file).
SunOS 4.x
set path = (/usr/ucb /usr/bin /usr/local{/X11R6/bin,/bin,,/bin/mh,/X11R5/bin} /usr/gnu/sparc/bin /usr/openwin/bin . ~)
IRIX
set path = (/sbin /usr/bin /usr/bsd /usr/sbin /usr/bin/X11 /usr/local/bin /usr/gnu/sgi/bin /usr/share/bin . ~)
OSF
set path = (/sbin /usr/bin /usr/sbin /usr/local /usr/local/bin . ~ )
AIX
set path = (/usr/ucb /usr/bin /usr/sbin /usr/bin/X11 /usr/local /usr/local/X11R5/bin /usr/local/bin . ~ )
Note: The current directory (denoted by ".") and my home directory (denoted
by "~") are at the end of the list.
LAST LOGIN
Always look at the "last login" message when you login to a machine, and
make sure that it makes sense. On all (?) machines this message will tell
from where you connected, i.e.
Last login: Thu May 16 11:29:39 from hinkelg@flyone.ornl.gov
So, if you never used the machine flyone.ornl.gov then there may be a security
problem. Or if you know you didn't use the machine at 11:29 on May 16 then
you should take further action (like notifying security and/or your system
administrator).
You can use the "last" command to list info about when you logged in/out.
last plucky
will show plucky's login/logout record (since the wtmp was last cleaned).
UMASK
Make sure your default file/directory permissions are such that others do not
have write access. You do this with the "umask" command, typically in your
.cshrc or .profile file. Your "umask" should at least be "022"
However, I like to use "037" So, put the following in your .cshrc or .profile
umask 037
XHOST
Don't allow every machine in the world to use your X Windows display. Rather
than using "xhost +" (which will allow every machine to use your display),
explicitly list the machines that you will allow to use your display.
xhost +buster +babs +plucky.xyz.com
You can remove a machine from the list by using "-"
xhost -buster
will no longer allow users on "buster" to create new windows on your display.
REMOTE HOST ACCESS
Use .rhosts files with care. If you don't know how to use them, then don't
use them. If you use them, then list as few machines as necessary.
I can find no use for .netrc files. So, I recommend never using them.
Most definitely NEVER put your password in it - even if you "protect" the
file.
Always report any suspicious activity.
Previous Tip of the Week ·
Next Tip of the Week ·
Index
Greg's Home Page
Greg Hinkel / (hinkelgc AT ornl.gov)
Last Modified: Friday, 02-Sep-2005 12:52:36 EDT
Visitors: 4667 since March 18, 1996