[geeks] are *BSD (and Linux) people "unhelpful"?

[Jonathan C. Patschke]

On Wed, 3 Apr 2002, Brian Hechinger wrote:
>
> so, is there a fixirix.txt somewhere?  i can apply my general UNIX sercurity

Not as of yet.  I've contemplated starting one, since I'm so tired of
seeing my favorite OS beat with the "insecure" stick.  It's not as if
Solaris is -that- much better out of the box (although Sun did learn that
setuid administrative binaries are bad).

I may just do that.  I'm in a writing mood tonight, and am already writing
two HOWTOs ("universal" redirects in Apache, and how to configure Postfix
to use SpamAssassin[1]).

> knowledge to tightening down IRIX, but since i've never used it before i don't
> know all the specifics.

Most of it just applies straight over from Solaris.  chkconfig off things
you aren't using.  Disable things in /etc/inetd.conf.  If you're not using
NFS and not using the system as a workstation, you can disable inetd
entirely.  If you don't plan on using IRIX's weakly-implemented
abilities-system, go ahead and universally remove the setuid bits from
everything under /usr/sysadm and /usr/Cadmin [2].

> and how do i get to use passwords longer than 8 chars?

You don't.  At least, not without breaking open libc.so and installing
your own crypt().  And, even then, you'll probably cause buffer overflows
in half of the programs that call it.  IRIX userland probablly assumes a
buffer size of 13 or 14 bytes.

Maybe we'll see MD5-hashed passwords in IRIX 7, whenever -that- happens.  
Does Solaris have an option for MD5-hashed passwords yet?  It's about time
that the commercial unixen caught up with the Linux and BSD crowd on this
point.

--Jonathan
[1] The lack of documentation on how to get things working well ranged
    from "nonexistant" to "well, it worked about 80 versions ago".  Since
    I'm such a Postfix newbie, it kicked my ass for a few hours.  I plan
    on fixing that.
[2] The sheer count of setuid files will frighten you.