On Fri, Sep 21, 2001 at 10:05:20AM -0700, Craig Dickson wrote: > If /etc/fstab is not world-readable, will users still be able to mount > things? Without having to supply all the details of what to mount where, > using what filesystem?
Users can't mount things by supplying all details of from where/to where/fs type. They can still mount/unmount with /etc/fstab mode 600, since mount is suid root, but they can't look in fstab for a list of what's mountable. > # Performing check of anonymous FTP... > --WARN-- [ftp006w] Anonymous FTP enabled, but directory does not exist. > > How can anonymous FTP be enabled when I have no FTP server installed? Is a config file present in /etc? > # Performing check of passwd files... > --WARN-- [pass002w] UID 0 exists multiple times in /etc/passwd. > > This is true; there is "root" and "sashroot", but with UID 0. Is this a > problem? It can potentially make superuser access easier to crack unless both accounts have strong passwords. More generally, I suspect that this is flagged because it could indicate that your system has been compromised and an illicit superuser has been created. > The last complaint from tiger, which I will not quote here, is that it > thinks nearly every account in /etc/passwd is "disabled, but still has a > valid shell". This is just plain wrong, since if it were true that my > personal account was disabled, I wouldn't be using it right now. Sounds like tiger doesn't know about shadow passwords. I would have little trust for a security audit performed by anyone who doesn't understand that, on a system using shadow, all accounts in /etc/passwd look like they would if disabled on a non-shadow system... > that aside, what should be the shell for a disabled account? /bin/false? That's probably the most common choice. -- When we reduce our own liberties to stop terrorism, the terrorists have already won. - reverius
