Re: Internet Worm

[blymn () awadi com AU (Brett Lymn)]

According to Supak Lailert \"spk\:
>
... stuff about a mode 000 .rhosts file deleted.....
> Uh Oh SURE! There is a problem with that! Users have write permission to 
> their home directories thus they can delete you .rhosts and create their 
> own as they like. If the account is cracked, the cracker can build a new 
> .rhosts at no time.

Too true.  If you really want to nail the problem this way you need to
do something like this (well, on a Sun anyway....):

- change the ownership of the user's home directory to root (ideally)
- allow the user group write on their home directory so they can use it
- set the "other" sticky bit on the user's home directory to prevent
  removal of files not owned by the user
- create a directory called .rhosts in the user's directory owned by root
- touch a file into the .rhosts directory - any file will do
- make the .rhosts directory mode 000


This should stop the user creating a .rhosts file as there is a
directory there with that name.  They cannot move the file as they do
not own it, they cannot change their home directory permissions as
they do not own that.  Brutal but it should be effective.

BTW don't flame me if the instructions aren't exactly right - I don't
do this to my users here.

-- 
Brett Lymn, Computer Systems Administrator, AWA Defence Industries
===============================================================================
"Aha!  Pronoun problems.  It's not `shoot you, shoot you', it's `shoot me,
 shoot me'.  So, go ahead, shoot ME, shoot ME <BLAM>... You're Despicable"
                        -- Daffy Duck