: : I am not aware of any special considerations that you need to be aware of
: : for Linux specifically. It has the same weaknesses as any UNIX system.
: Just to relay something I heard in my mail:
: make sure 'minicom' isn't setuid root (or find out more if you really
: want non root users to use it).
: Which perhaps brings up another point - if you are really paranoid about
: security it might be an idea to go through all the setuid's and decide
: whats needed and what isn't (although the same applys to all unix's of
: Linux has always seemed quite well set up to me BTW, well at least the
: version I installed does (slackware version 2.0). Although I heard
: somebody mention about some incorrect permissions on a particular cd-rom
: distribution. Oh yeah and a minor problem with wu-ftp has also been
: mentioned (just a matter of a mistake in the default setup I think).
: (I've also noticed that '/var/spool/mail' should NOT be world writable
: on my version. Not that it is by default, but I'm sure somebody in the
: world has made the mistake of setting it drwxrwxrwt like it is on SunOS
I didn't really notice when I installed Slackware on my own computer,
because I was completely new to UNIX.
However, after watching my roommate install Slackware on *his* computer,
I realized that Slackware just really isn't all that security-conscious.
It has *everything* turned on in inetd. Lots of things are setuid
root. And the permissions on the virtual consoles are world-writable.
A couple of things to think about on a net-accessible Slackware Linux box
when you get it (if it isn't net accessible, most of this doesn't
matter so much, since physical access really does beat all):
1) go through inetd.conf and turn off everything you don't
2) Change lpd et al to not be setuid root, but instead
to be either setuid lp or setgid lp (where lp is some
special user or group you create). Then chown or chgrp
everything in /usr/spool/lp* .
3) Go through /etc/rc.d/rc.inet2, and comment out services
you don't use. In particular, comment out nfsd and mountd.
If you don't have a printer, comment out lpd.
4) The /dev/tty? permissions are really a problem, because anyone
who can open a virtual console can do * things like
change the key map. To change the permissions, though, you
need a new getty, login, write, mesg, and probably a few
others. So I'm not sure exactly what to do for this problem,
unless you seriously have something to hide from the other
users on your system.
5) Yeah, I HATE the setuid flag on minicom. I like minicom,
but don't like at all the way it tries to manage security
itself -- it should just trust in access permissions. Or
it should be *really* careful about what it does with its
superuser privileges! The bug mentioned in the mailing list
is ridiculous -- allowing arbitrary shell escapes! I agree
with Arny -- it would probably be a good idea to scan
the filesystem for setuid files and see what you think of
Another problem I noticed is that syslogd is wide open to the
world -- anyone can log a message to your computer; I don't know
at all how to fix this problem, though.
Slackware comes with a lot of features ready-to-use, but it doesn't
come all that secure.