hi!.. i'm not able to change file permission to disable rlogin and login on my box even as root # ls -lo /usr/bin/login /usr/bin/rlogin -r-sr-xr-x 1 root wheel schg 19996 Dec 1 13:04 /usr/bin/login -r-sr-xr-x 1 root wheel schg 10140 Dec 1 13:04 /usr/bin/rlogin # chflags -R nouchg login rlogin chflags: /usr/bin/login: Operation not permitted chflags: /usr/bin/rlogin: Operation not permitted # chmod a=rx /usr/bin/login /usr/bin/rlogin chmod: /usr/bin/login: Operation not permitted chmod: /usr/bin/rlogin: Operation not permitted it makes me uneasy as my users can still use login and rlogin to gain access to the box my system: # uname -a FreeBSD k3.college.edu 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1: Sun Dec 2 18:51:02 MYT 2007 root@college.edu:/usr/obj/usr/src/sys/EDU i386 thanks for advice -- -- Anjang Aki --
Michael Proto
2007-Dec-03 08:34 UTC
FreeBSD 6.3-PRERELEASE unable to change file permission
Anjang Aki wrote:> hi!.. i'm not able to change file permission to disable rlogin and > login on my box even as root > > # ls -lo /usr/bin/login /usr/bin/rlogin > -r-sr-xr-x 1 root wheel schg 19996 Dec 1 13:04 /usr/bin/login > -r-sr-xr-x 1 root wheel schg 10140 Dec 1 13:04 /usr/bin/rlogin > > # chflags -R nouchg login rlogin > chflags: /usr/bin/login: Operation not permitted > chflags: /usr/bin/rlogin: Operation not permitted > > # chmod a=rx /usr/bin/login /usr/bin/rlogin > chmod: /usr/bin/login: Operation not permitted > chmod: /usr/bin/rlogin: Operation not permitted > > it makes me uneasy as my users can still use login and rlogin to gain > access to the box > > my system: > # uname -a > FreeBSD k3.college.edu 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1: Sun > Dec 2 18:51:02 MYT 2007 root@college.edu:/usr/obj/usr/src/sys/EDU > i386 > > thanks for advice >It looks like these files have the system-immutable flags set (schg), not the user-immutable (uchg). What happens if you do "chflags noschg /usr/bin/login /usr/bin/rlogin"? -Proto
Cristiano Deana
2007-Dec-03 08:56 UTC
FreeBSD 6.3-PRERELEASE unable to change file permission
On Dec 3, 2007 4:59 PM, Anjang Aki <mailman.msc@gmail.com> wrote:> # chflags -R nouchg login rlogin > chflags: /usr/bin/login: Operation not permitted > chflags: /usr/bin/rlogin: Operation not permitted> # chmod a=rx /usr/bin/login /usr/bin/rlogin > chmod: /usr/bin/login: Operation not permitted > chmod: /usr/bin/rlogin: Operation not permitted# sysctl kern.securelevel ? -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
Robert Watson
2007-Dec-03 13:28 UTC
FreeBSD 6.3-PRERELEASE unable to change file permission
On Mon, 3 Dec 2007, Anjang Aki wrote:> hi!.. i'm not able to change file permission to disable rlogin and login on > my box even as root > > # ls -lo /usr/bin/login /usr/bin/rlogin > -r-sr-xr-x 1 root wheel schg 19996 Dec 1 13:04 /usr/bin/login > -r-sr-xr-x 1 root wheel schg 10140 Dec 1 13:04 /usr/bin/rlogin > > # chflags -R nouchg login rlogin > chflags: /usr/bin/login: Operation not permitted > chflags: /usr/bin/rlogin: Operation not permitted > > # chmod a=rx /usr/bin/login /usr/bin/rlogin > chmod: /usr/bin/login: Operation not permitted > chmod: /usr/bin/rlogin: Operation not permitted > > it makes me uneasy as my users can still use login and rlogin to gain access > to the boxOthers have already addressed the chflags issue, but there's a larger concern here. First off, 'rlogin' is the client, not the server for the rlogin protocol, so chmodding the file limits the ability to rlogin *from* your system, not rlogin *to* your system. The ability to login via rlogin is controlled via inetd.conf, which enables or disables the rlogind daemon. By default we neither run inetd nor rlogind, and even if you enable inetd, you still need to also enable rlogind explicitly. Probably for the reasons you have in mind. Second, I'm not sure what you're trying to do by disabling 'login', but keep in mind that 'login' is used on the console to allow login to the system on the console, so you may lock yourself out of the console if you disable it. On the other hand, 'login' is *not* used for sshd, so if your goal is to deny network access, it won't have that effect. In general, what you want to do to prevent login over the network is not enable network services that allow remote login -- sshd, telnetd, rlogind, ftpd, etc. By default, we disable all those services. You can look in a combination of /etc/rc.conf and /etc/inetd.conf to see what is enabled. Robert N M Watson Computer Laboratory University of Cambridge> > my system: > # uname -a > FreeBSD k3.college.edu 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1: Sun > Dec 2 18:51:02 MYT 2007 root@college.edu:/usr/obj/usr/src/sys/EDU > i386 > > thanks for advice > > -- > -- Anjang Aki -- > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >