|
|
The Computing Center is working on an update to the user.chk program in COPS that checks for dangerous permissions on user account files. The new version of COPS is more sophisticated and checks for many more potential vulnerabilities than the old version.
For example, the new COPS has also been modified to check our standard user mail spool file (.mail) and the commonly-created mbox file. As there are quite a few group-writable .mail files or world-readable mbox files, it would help cut down on network "noise" if system administrators on campus eliminate all group or other permissions from their .mail and mbox files.
Below is the current list of files the new user.chk program looks for and the file modes it rejects (i.e., 022 means "no write by group or other," and 077 means "no permissions at all for group or other"):
| * remote access control files */ { ".rhosts", 022 }, { ".shosts", 022 }, /* shell init files */ { ".profile", 022 }, { ".login", 022 }, { ".logout", 022 }, { ".cshrc", 022 }, { ".tcshrc", 022 }, { ".bash_login", 022 }, { ".bash_logout", 022 }, { ".bash_profile", 022 }, { ".bashrc", 022 }, { ".kshrc", 022 }, { ".history", 022 }, { ".bash_history", 022 }, { ".sh_history", 022 }, /* mail */ { ".mail", 077 }, { ".elm", 022 }, { ".forward", 022 }, { ".pinerc", 022 }, { ".pgp", 077 }, { ".procmailrc", 022 }, |
"Mail", 022 }, { "mail", 022 }, { "mbox", 077 }, /* user web directory */ { "public_html", 022 }, /* other init files */ { ".dbxinit", 022 }, { ".distfile", 022 }, { ".emacs", 022 }, { ".exrc", 022 }, { ".netrc", 077 }, { ".ncftp", 022 }, { ".ssh", 022 }, /* X window system files */ { ".Xauthority", 077 }, { ".Xdefaults", 022 }, { ".Xresources", 022 }, { ".dtprofile", 022 }, { ".fvwmrc", 022 }, { ".fvwm2rc", 022 }, { ".mwmrc", 022 }, { ".openwin-init", 022 }, { ".twmrc", 022 }, { ".xinit", 022 }, { ".xsession", 022 }, |
If any of these files and file modes are detected as being mis-set, COPS will generate a warning, allowing systems staff to take appropriate remedial action.