FreeBSD 6.3-PRERELEASE unable to change file permission
Robert Watson
rwatson at FreeBSD.org
Mon Dec 3 13:28:08 PST 2007
On Mon, 3 Dec 2007, Anjang Aki wrote:
> hi!.. i'm not able to change file permission to disable rlogin and login on
> my box even as root
>
> # ls -lo /usr/bin/login /usr/bin/rlogin
> -r-sr-xr-x 1 root wheel schg 19996 Dec 1 13:04 /usr/bin/login
> -r-sr-xr-x 1 root wheel schg 10140 Dec 1 13:04 /usr/bin/rlogin
>
> # chflags -R nouchg login rlogin
> chflags: /usr/bin/login: Operation not permitted
> chflags: /usr/bin/rlogin: Operation not permitted
>
> # chmod a=rx /usr/bin/login /usr/bin/rlogin
> chmod: /usr/bin/login: Operation not permitted
> chmod: /usr/bin/rlogin: Operation not permitted
>
> it makes me uneasy as my users can still use login and rlogin to gain access
> to the box
Others have already addressed the chflags issue, but there's a larger concern
here.
First off, 'rlogin' is the client, not the server for the rlogin protocol, so
chmodding the file limits the ability to rlogin *from* your system, not rlogin
*to* your system. The ability to login via rlogin is controlled via
inetd.conf, which enables or disables the rlogind daemon. By default we
neither run inetd nor rlogind, and even if you enable inetd, you still need to
also enable rlogind explicitly. Probably for the reasons you have in mind.
Second, I'm not sure what you're trying to do by disabling 'login', but keep
in mind that 'login' is used on the console to allow login to the system on
the console, so you may lock yourself out of the console if you disable it.
On the other hand, 'login' is *not* used for sshd, so if your goal is to deny
network access, it won't have that effect.
In general, what you want to do to prevent login over the network is not
enable network services that allow remote login -- sshd, telnetd, rlogind,
ftpd, etc. By default, we disable all those services. You can look in a
combination of /etc/rc.conf and /etc/inetd.conf to see what is enabled.
Robert N M Watson
Computer Laboratory
University of Cambridge
>
> my system:
> # uname -a
> FreeBSD k3.college.edu 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1: Sun
> Dec 2 18:51:02 MYT 2007 root at college.edu:/usr/obj/usr/src/sys/EDU
> i386
>
> thanks for advice
>
> --
> -- Anjang Aki --
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
More information about the freebsd-stable
mailing list