|
@@ -425,6 +425,7 @@ function set_sticky_bits {
|
425
|
425
|
}
|
426
|
426
|
|
427
|
427
|
function lockdown_permissions {
|
|
428
|
+ # All commands owned by root
|
428
|
429
|
if [ -d /bin ]; then
|
429
|
430
|
chown root:root /bin/*
|
430
|
431
|
fi
|
|
@@ -448,6 +449,7 @@ function lockdown_permissions {
|
448
|
449
|
chmod -R +r /usr/share/${PROJECT_NAME}
|
449
|
450
|
fi
|
450
|
451
|
|
|
452
|
+ # All libraries owned by root
|
451
|
453
|
if [ -d /lib ]; then
|
452
|
454
|
chown -R root:root /lib/*
|
453
|
455
|
fi
|
|
@@ -461,10 +463,12 @@ function lockdown_permissions {
|
461
|
463
|
chown -R root:root /usr/lib64/*
|
462
|
464
|
fi
|
463
|
465
|
|
|
466
|
+ # sudo permissions
|
464
|
467
|
chmod 4755 /usr/bin/sudo
|
465
|
468
|
chmod 4755 /usr/lib/sudo/sudoers.so
|
466
|
469
|
chown root:root /etc/sudoers
|
467
|
470
|
|
|
471
|
+ # permissions on email commands
|
468
|
472
|
if [ -f /usr/bin/procmail ]; then
|
469
|
473
|
chmod 6755 /usr/bin/procmail
|
470
|
474
|
fi
|
|
@@ -476,6 +480,26 @@ function lockdown_permissions {
|
476
|
480
|
fi
|
477
|
481
|
|
478
|
482
|
set_sticky_bits
|
|
483
|
+
|
|
484
|
+ # Create some directories to correspond with users in passwords file
|
|
485
|
+ if [ ! -d /var/spool/lpd ]; then
|
|
486
|
+ mkdir /var/spool/lpd
|
|
487
|
+ fi
|
|
488
|
+ if [ ! -d /var/spool/news ]; then
|
|
489
|
+ mkdir /var/spool/news
|
|
490
|
+ fi
|
|
491
|
+ if [ ! -d /var/spool/uucp ]; then
|
|
492
|
+ mkdir /var/spool/uucp
|
|
493
|
+ fi
|
|
494
|
+ if [ ! -d /var/list ]; then
|
|
495
|
+ mkdir /var/list
|
|
496
|
+ fi
|
|
497
|
+ if [ ! -d /var/lib/gnats ]; then
|
|
498
|
+ mkdir /var/lib/gnats
|
|
499
|
+ fi
|
|
500
|
+ if [ ! -d /var/lib/saned ]; then
|
|
501
|
+ mkdir /var/lib/saned
|
|
502
|
+ fi
|
479
|
503
|
}
|
480
|
504
|
|
481
|
505
|
function disable_core_dumps {
|