Important Files

Contents:
Security-Related Devices and Files
Important Files in Your Home Directory
SUID and SGID Files

This appendix lists some of the files on UNIX systems that are important from the perspective of overall system security. We have tried to make this as comprehensive a list as possible. Nevertheless, there are doubtless some system-specific files that we have omitted. If you don't see a file here that you think should be added, please let us know.

Security-Related Devices and Files

This section lists many of the devices, files, and programs mentioned in this tutorial. Note that these programs and files may be located in different directories under your version of UNIX.

Devices

All UNIX devices potentially impact security. You should, however, pay special attention to the following entries. On many systems, including SVR4, these entries are links to files in the /devices directory, but the actual names in that directory depend on the underlying hardware configuration. Thus, we will reference them by the /dev.

Name	Description
/dev/audio	Audio input/output device
/dev/console	System console
/dev/diskette	Floppy disk device
/dev/dsk/*	System disks
/dev/fbs/*	Framebuffers
/dev/fd/*	File descriptors (/dev/fd/0 is a synonym for stdin, /dev/fd/1 for `stdout`, etc)
/dev/fd	Floppy disk drives
/dev/ip	IP interface
/dev/kbd	Keyboard device
/dev/klog	Kernel log device
/dev/kmem	Kernel memory
/dev/kstat	Kernel statistics device
/dev/log	Log device
/dev/mem	Memory
/dev/modem	Modem
/dev/null	Null device
/dev/pty*	Pseudo terminals
/dev/random	Random device
/dev/rdsk	Raw disk devices
/dev/rmt8	Tape device
/dev/sd	SCSI disks
/dev/st	SCSI tapes
/dev/tty*	Terminal devices
/dev/zero	Source of nulls

Log Files

Name	Description
/etc/utmp	Lists users currently logged into system
/etc/utmpx	Extended utmp file
/etc/wtmp	Records all logins and logouts
/etc/wtmpx	Extended wtmp file
/usr/adm/acct[1]	Records commands executed
/usr/adm/lastlog	Records the last time a user logged in
/usr/adm/messages	Records important messages
/usr/adm/pacct	Accounting for System V (usually)
/usr/adm/saveacct	Records accounting information
/usr/adm/wtmp	Records all logins and logouts

[1] /usr/adm may actually be a link to /var/adm.

System Databases

Name	Description
/etc/bootparams	Boot parameters database
/etc/cron/*	System V start-up files
/etc/defaultdomain	Default NIS domain
/etc/defaultrouter	Default router to which your workstation sends packets destined for other networks
/etc/defaults/su	Default environment for root after `su`
/etc/defaults/login	Default environment for login
/etc/dfs/dfstab	SVR4
/etc/dialup	List of dial-up lines
/etc/dumpdates	Records when a partition was dumped
/etc/d_passwd	File of dial-up passwords (some systems)
/etc/ethers	Mapping of ethernet addresses to IP addresses for RARP
/etc/exports	NFS exports list (Berkeley-derived systems)
/etc/fbtab	Login device permission (SunOS systems)
/etc/filesystems	List of AIX filesystems the computer supports
/etc/ftpusers	List of users not allowed to use FTP over the network
/etc/fstab	Filesystems to mount (Berkeley)
/etc/group	Denotes membership in groups
/etc/hostnames.xx	Hostname for interface xx
/etc/hosts	List of IP hosts and host names
/etc/hosts.allow	Hosts for which `tcpwrapper` allows connection
/etc/hosts.deny	Hosts for which `tcpwrapper` denies connection
/etc/hosts.equiv	Lists trusted machines
/etc/hosts.lpd	Lists machines allowed to print on your computer's printer
/etc/inetd.conf	Configuration file for /etc/inetd
/etc/init.d/*	System V start-up files
/etc/inittab	`tty` start-up information; controls what happens at various run levels (System V)
/etc/keystore	Used in SunOS 4.0 to store cryptography keys
/etc/login.access	Used to control who can log in from where (`logdaemon` and some more recent BSD systems)
/etc/logindevperm	Login device permissions (Solaris systems)
/etc/master.passwd	Shadow password file on some BSD systems
/etc/motd	Message of the day
/etc/mnttab	Table of mounted devices
/etc/netgroup	Netgroups file for NIS
/etc/netid	Netname database
/etc/netstart	Network configuration for some BSD systems
/etc/nodename	Name of your computer
/etc/ntp.conf	NTP configuration file
/etc/nsswitch.conf	For Solaris (files, NIS, NIS+), the order in which system databases for accounts, services, etc., should be read
/etc/passwd	Users and encrypted password
/etc/printcap	Printer configuration file
/etc/profile	Default user profile
/etc/publickey	Computer's public key
/etc/rc*	Reboot commands script
/etc/rc?.d/*	System V start-up files for each run level
/etc/remote	Modem and telephone-number information for tip
/etc/resolv.conf	DNS configuration file
/etc/security/*	Various operating system security files
/etc/security/passwd.adjunct	Shadow-password file for SunOS
/etc/services	Lists network services
/etc/shadow	Shadow password file
/etc/shells	Legal shells for FTP users and for legal shells to the `chsh` command
/etc/skeykeys	Used by S/Key
/etc/socks.conf	SOCKS configuration file
/etc/syslog.conf	syslog configuration file
/etc/tftpaccess.ctl	Access to TFTP daemon (AIX systems)
/etc/timezone	Your time zone
/etc/ttys, /etc/ttytab	Defines active terminals
/etc/utmp	Lists users currently logged into system
/etc/vfstab	Filesystems to mount at boot time (SVR4)
/etc/X0.hosts	Allows access to X0 server
/usr/lib/aliases or/etc/aliases	Lists mail aliases for /usr/lib/sendmail (maybe in /etc or/etc/sendmail)
/usr/lib/crontab	Scheduled execution file
/usr/lib/sendmail.cf	sendmail configuration file
/usr/lib/uucp/Devices	UUCP BNU
/usr/lib/uucp/L.cmds	UUCP Version 2
/usr/lib/uucp/L-devices	UUCP Version 2
/usr/lib/uucp/Permissions	UCP BNU
/usr/lib/uucp/USERFILE	UUCP Version 2
/var/spool/cron*	`cron` files include cron.allow cron.deny, at.allow, and at.deny
/var/spool/cron/crontabs/*	Individual user files (System V)

/bin Programs

Some of these programs may be found in other directories, including /usr/bin, /sbin, /usr/sbin, /usr/ccs/bin, and /usr/local/bin.

Name	Description
adb	Debugger; also can be used to edit kernel
cc	C compiler
cd, chdir	Built in shell command
chgrp	Changes group of files
chmod	Changes permissions of files
chown	Changes owner of files
chsh	Changes a user's shell
cp	Copies files
crypt	Encrypts files
csh	C-shell command interpreter
cu	Places telephone calls
dbx	Debugger
des	DES encryption/decryption program
ex3.7preserve, ex3.7recover	vi buffer recovery programs
find	Finds files
finger	Prints information about users
fsirand	Randomizes i-node numbers on a disk
ftp	Transfers files on a network
gcore	Gets a core file for a running process
kill	Kills processes
kinit	Authenticates to Kerberos
ksh	Korn-shell command interpreter
last	Prints when users logged on
lastcomm	Prints what commands were run
limit	Changes process limits
login	Prints password
ls	Lists files
mail	Sends mail
netstat	Prints status of network
newgrp	Changes your group
perl suidperl taintperl	System administration and developing language. SUID `perl` has special provisions for SUID programs; `taintperl` has special data-tainting features
passwd	Changes passwords
ps	Displays processes
pwd	Prints your working directory
renice	Changes the priority of a process
rlogin	Logs you into another machine
rsh, krsh, rksh	Restricted shell (System V)
rsh	Remote shell (named `remsh` on System V)
sh	Bourne-shell command interpreter
strings	Prints the strings in a file
su	Become the superuser, or change your current user ID
sysadmsh	System administrator's shell
telnet	Becomes a terminal on another machine
tip	Calls another machine
umask	Changes your umask (shell built-in)
users	Prints users logged in
uucheck	Checks UUCP security
uucico	Transfers UUCP files
uucp	Queues files for transfer by UUCP
uudecode	Decodes uu-encoded files
uux	Queues programs for execution by UUCP
w	Prints what people are doing
who	Prints who is logged in
write	Prints messages on another's terminal
xhost	Allows other hosts to access your X Window Server
XScreensaver	Clears and locks an X screen
yppasswd	Changes your NIS password

/etc Programs

The following programs are typically placed in the /etc, /sbin, /usr/sbin, or /usr/etc directories.

Name	Description
accton	Turns on accounting
arp	Address resolution protocol
comsat	Alerts to incoming mail
dmesg	Prints messages from system boot
exportfs	Export a filesystem (Berkeley)
fingerd or in.fingerd	Finger daemon
ftpd or in.ftpd	FTP daemon
fsck	Filesystem-consistency checker
getty	Prints login:
inetd	Internet daemon
init	First program to run
lockd	`lock` daemon
lpc	Line-printer control
makekey	Runs `crypt()` library routine (in /usr/lib)
mount	Mounts partitions
ntalkd	Talk daemon
ping	Network test program
rc?	Boot scripts
rc?.d	Directories containing boot scripts
rdump	Remote dump program
renice	Changes priority of programs
rexecd or in.rexecd	Remote execution daemon
rlogind or in.rlogind	Remote login daemon
routed	Route daemon
rshd	Remote shell daemon
sa	Processes accounting logs
sendmail	Network mailer program (may be in /lib or /lib/sendmail)
share	Export a filesystem (SVR4)
showmount	Shows clients that have mounted a filesystem
sockd	SOCKS daemon
syslogd	System log daemon
talkd or in.talkd	Talk daemon
tcpd	TCP wrapper
telnetd or in.telnetd	Telnet daemon
tftpd or in.tftpd	TFTP daemon
ttymon	Monitors terminal ports
uucpd	UUCP over TCP/IP daemon
yp/makedbm	Makes an NIS database