The ECN No Name Newsletter is no longer being published. This is an archived issue.

Account Security Checking

Here we go again...more information about computer security...but this time I'm going to tell you about a program that will aid in reviewing some security points for you!

While most individual users understand the need to keep their accounts secure in order to help maintain the security of the entire network, it is easy to put off standard security maintenance, such as:

1. regularly changing your password and choosing good ones

2. watching modes on directories and files

3. periodically checking your .rhosts file for odd logins

Get real! Who has time for all this checking? No one wants to sit down and look through their whole account just to make sure modes on files are OK. Why should they? Is it really worth the time?

Boy, have I got a solution for you--checkacct(1), a program that will look through your account for you. You don't have to cd through all your directories and look at the modes of everything. This will do it for you. It also checks your login initialization files for a bad umask(1) setting and for "." existing first in your path. In addition this program checks your .rhosts file and tells you about hosts that do not end with "purdue.edu" and logins that are different from yours. It doesn't do windows though (sorry).

To run this program, type "/usr/unsup/checkacct" and your account will be checked. It will start by printing your uid, gid, and home directory from what it found in the password file. Next, it will check your .rhosts file. You will see the following message if a "non-purdue" host is found:

                     .rhosts: Non-local host:

                               or

               .rhosts: Contains a different login:

if a login different from yours is discovered. This message is followed by the line in your .rhosts file that checkacct(1) is complaining about. This check is not fail-proof. It will flag accounts that may be legitimately yours, whether they are at another site or have a different login name. However, only accounts that you and ONLY you own should be there. You should not have accounts included that anyone else can access. Account sharing is strictly prohibited at ECN.

Next the program will check your login initialization files (.login, .cshrc, and .profile). You will see this message if you have the dot (current directory) first in your path.

"." first in your path! Should be last.

If you see the message

umask is ###! Should be 077 or 022!

then your umask setting should be changed (077 is best, but 022 is OK also). See the man page for umask(1) for details.

Before checkacct(1) is finished, it will review your entire file system checking ownership and permission codes on all your directories and files. The program might generate a message like:

You don't own

to indicate that the owner of the file is not you and that the file should be checked. You might also see the message

File is world writable!!

if the file can be written (or erased) by anyone. See the man page for chmod(1) for more information.

If you have any questions or problems with this program, send mail to "blm".

HTML