Dear Colleagues,
If you are well, I am well.
First, I would like to know why we have the bin group. Said differently,
how did we decide that some files should belong to bin group rather than
wheel group?
Second, I became interested in the bin group because I wanted
to block practically all network access to certain users.
I removed other-user permissions on files like ping and added one user
to bin group. I find this useful, and I ask whether there is a problem
in what I have done.
Below is further context on both of my inquiries.
Awaiting your response, I pray you accept my distinguished salutations.
Ibsen
Purpose of the bin group
------------------------
Figuring that bin group may have a purpose related to setgid, I looked
at files belonging to bin group.
The file /etc/mtree/4.4BSD.dist sets the bin group only on directories
that have 755 permission, so it seems not to be significant in base.
Many ports set bin group on files, but these files mostly seem to have
the same permissions for bin group as for other users. I did not check
all ports, but I checked many. I did this by reading the result
of running the following command from the root of the ports tree.
grep ^@bin */*/pkg/PLIST |
cut -d: -f1 |
uniq |
xargs grep ^@mode |
cut -d: -f1 |
uniq |
xargs head -n 100000 |
less
So it seems setgid is not the purpose, though I could have missed
an example where it is relevant.
Restricting network access
--------------------------
I wanted remove practically all network access for a user.
As part of this, I removed other access to certain setuid and
setgid executables.
chmod o-rwx /sbin/ping /sbin/ping6 /usr/bin/lpr /usr/bin/lprm
/usr/sbin/traceroute /usr/sbin/traceroute6
Aside from root, there is one user who does need access to one of these
executables. This user's only purpose is to check whether a particular
computer is online. I added the user to the bin group.
The system seems to be running fine.
Can it become a problem that I did this?
