Is anyone else using the 'tiger' security-checking tool? Mine is giving me some reports that I'm not sure how to deal with. Here they are:
# Performing check of system file permissions... --FAIL-- [perm007f] /etc/aliases should not have group read. --WARN-- [perm003w] /etc/fstab should not have group read. --WARN-- [perm003w] /etc/fstab should not have world read. --WARN-- [perm012w] /etc/inetd.conf should not have group read. --WARN-- [perm012w] /etc/inetd.conf should not have world read. --WARN-- [perm017w] /var/run/utmp should not have group write. When I first got this, I tried removing group/world read from /etc/aliases, but then my email delivery completely failed. /etc/aliases is owned by root.root, but exim, I believe, runs as the user "mail". So one thought is that I could chown /etc/aliases to mail.mail with permission 600. But will that cause other problems? If /etc/fstab is not world-readable, will users still be able to mount things? Without having to supply all the details of what to mount where, using what filesystem? # Performing signature check of system binaries... --ERROR-- [init001e] Don't have required command SNEFRU. WTF is "snefru", and where can I get it? There's no Debian package by that name. # Performing check of anonymous FTP... --WARN-- [ftp006w] Anonymous FTP enabled, but directory does not exist. How can anonymous FTP be enabled when I have no FTP server installed? # Performing check of passwd files... --WARN-- [pass002w] UID 0 exists multiple times in /etc/passwd. This is true; there is "root" and "sashroot", but with UID 0. Is this a problem? The last complaint from tiger, which I will not quote here, is that it thinks nearly every account in /etc/passwd is "disabled, but still has a valid shell". This is just plain wrong, since if it were true that my personal account was disabled, I wouldn't be using it right now. But that aside, what should be the shell for a disabled account? /bin/false? And what kinds of accounts should be disabled? Is the point of having a disabled account that although you can't log in to that account, daemons can still start as root and then switch to a disabled account? In which case, does the shell entry in /etc/passwd matter? Craig
