/*-
 * Copyright (c) 1998 Robert N. Watson
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name Robert N. Watson may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *	$Id: policy-stable,v 1.1 1998/07/15 15:24:34 robert Exp $
 */
set "cu" {
	comment "Serial port communications utility";
	declare level "dialer-only" "Restrict to dialer group";
	declare level "root-only" "Restrict to root user";
	declare level "disabled" "Disable cu";
	file "/usr/bin/cu" {
		comment "serial port communication utility";
		/* because of root-only, owner is affected */
		mode default "6555";
		owner default "uucp";
		group default "dialer";
		mode "dialer-only" "6550";
		owner "dialer-only" "root";
		group "dialer-only" "dialer";
		mode "root-only" "0500";
		owner "root-only" "root";
		group "root-only" "wheel";
		mode "disabled" "0000";
		owner "disabled" "root";
		group "disabled" "wheel";
	};
};

set "uucp" {
	comment "Unix-to-Unix Copy";
	declare level "disabled" "Disable UUCP";
	file "/usr/bin/uucp" {
		mode default "4555";
		owner default "uucp";
		group default "bin";
		mode "disabled" "0000";
		owner "disabled" "root";
		group "disabled" "wheel";
	};
	file "/usr/bin/uux" {
		mode default "4555";
		owner default "uucp";
		group default "bin";
		mode "disabled" "0000";
		owner "disabled" "root";
		group "disabled" "wheel";
	};
	file "/usr/bin/uustat" {
		mode default "6555";
		owner default "uucp";
		group default "dialer";
		mode "disabled" "0000";
		owner "disabled" "root";
		group "disabled" "wheel";
	};
	file "/usr/libexec/uucp/uucico" {
		mode default "6555";
                owner default "uucp";
                group default "dialer";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
	file "/usr/libexec/uucp/uuxqt" {
		mode default "4550";
		owner default "uucp";
		group default "uucp";
		mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
	file "/usr/bin/uuname" {
                mode default "4555";
                owner default "uucp";
                group default "bin";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
};

set "suidperl" {
	comment "Setuid perl support";
	declare level "wheel-only" "Restrict to wheel group";
	declare level "root-only" "Restrict to root user";
	declare level "disabled" "Disable suidperl";
	/* hardlinks to one-another:
		/usr/bin/suidperl
		/usr/bin/sperl4.036
	*/
	file "/usr/bin/suidperl" {
		mode default "4111";
		mode "wheel-only" "4110";
		mode "root-only" "0100";
		mode "disabled" "0000";
	};
};

set "at" {
	comment "Batch job scheduling";
	declare level "wheel-only" "Restrict to wheel group";
	declare level "root-only" "Restrict to root";
	declare level "disabled" "Disable at*";
	/* hardlinks to one-another:
		/usr/bin/at
		/usr/bin/atq
		/usr/bin/atrm
		/usr/bin/batch
	*/
	file "/usr/bin/at" {
		mode default "4555";
		owner default "root";
		group default "bin";
		mode "wheel-only" "4550";
		owner "wheel-only" "root";
		group "wheel-only" "wheel";
		mode "root-only" "0500";
		owner "root-only" "root";
		group "root-only" "wheel";
		mode "disabled" "0000";
		owner "disabled" "root";
		group "disabled" "wheel";
	};
};

set "passwd" {
	/* hardlinks to one-another:
		/usr/bin/passwd
		/usr/bin/yppasswd
	*/
	comment "Utilities to allow password changing, etc.";
	declare level "wheel-only" "Restrict to wheel group";
	declare level "root-only" "Restrict to root user";
	declare level "disabled" "Disable passwd utilities";
	file "/usr/bin/passwd" {
		mode default "4555";
		owner default "root";
		group default "bin";
		mode "wheel-only" "4550";
		owner "wheel-only" "root";
		group "wheel-only" "wheel";
		mode "root-only" "0500";
		owner "root-only" "root";
		group "root-only" "wheel";
		mode "disabled" "0000";
		owner "disabled" "root";
		group "disabled" "wheel";
	};
	/* hardlinks to one-another:
		/usr/bin/chpass
		/usr/bin/chfn
		/usr/bin/chsh
		/usr/bin/ypchpass
		/usr/bin/ypchfn
		/usr/bin/ypchsh
	*/
	file "/usr/bin/chpass" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root"; 
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
	};
};

set "lock" {
        comment "Utility to lock the terminal";
        declare level "wheel-only" "Restrict to wheel group";
        declare level "root-only" "Restrict to root user";
        declare level "disabled" "Disable lock utility";
        file "/usr/bin/lock" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        }; 
};

set "skey" {
        comment "One-time s/key password management utilities";
        declare level "wheel-only" "Restrict to wheel group";
        declare level "root-only" "Restrict to root user";
        declare level "disabled" "Disable s/key management utilities";
        file "/usr/bin/keyinfo" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
        file "/usr/bin/keyinit" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
};

set "login" {
	comment "Command-line login command";
        declare level "wheel-only" "Restrict to wheel group";
        declare level "root-only" "Restrict to root user";
        declare level "disabled" "Disable command-line login command";
        file "/usr/bin/login" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0555"; /* leave available for normal login */
                owner "disabled" "root";
                group "disabled" "wheel";
        };
};

set "quota" {
	comment "Quota inspection utility";
        declare level "wheel-only" "Restrict to wheel group";
        declare level "root-only" "Restrict to root user";
        declare level "disabled" "Disable quota inspection utility";
        file "/usr/bin/quota" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
		mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
};

set "rsh" {
	comment "R-commands (rsh,rcp,rlogin)";
        declare level "wheel-only" "Restrict to wheel group";
        declare level "root-only" "Restrict to root user";
        declare level "disabled" "Disable quota inspection utility";
        file "/usr/bin/rsh" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
        file "/bin/rcp" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
        file "/usr/bin/rlogin" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
};

set "crontab" {
	comment "User cron event editor";
        declare level "wheel-only" "Restrict to wheel group";
        declare level "root-only" "Restrict to root user";
        declare level "disabled" "Disable user crontab editing";
        file "/usr/bin/crontab" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
};

set "su" {
	comment "Switch user (su) command ";
        declare level "wheel-only" "Restrict to wheel group";
        declare level "root-only" "Restrict to root user";
        declare level "disabled" "Disable su";
        file "/usr/bin/su" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        }; 
};

set "lpr" {
	comment "Line-printer (lpr,lpq,lprm) utilities";
        declare level "root-only" "Restrict to root user";
        declare level "disabled" "Disable line-printer utilities";
        file "/usr/bin/lpr" {
                mode default "6555";
                owner default "root";
                group default "daemon";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
	file "/usr/bin/lpq" {
                mode default "6555";
                owner default "root";
                group default "daemon";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
	};
	file "/usr/bin/lprm" {
                mode default "6555";
                owner default "root";
                group default "daemon";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
};

/* Not currently doing mail suid stuff due to nasty interactions
set "mail" {
        file "/usr/bin/newaliases" {
                mode default "4555";
                owner default "root";
                group default "bin";
        };
        file "/usr/bin/mailq" {
                mode default "4555";
                owner default "root";
                group default "bin";
        };
        file "/usr/bin/hoststat" {
                mode default "4555";
                owner default "root";
                group default "bin";
        };
        file "/usr/libexec/mail.local" {
                mode default "4555";
                owner default "root";
                group default "bin";
        };
        file "/usr/sbin/sendmail" {
                mode default "4555";
                owner default "root";
                group default "bin";
        };
        file "/usr/sbin/purgestat" {
                mode default "4555";
                owner default "root";
                group default "bin";
        };
};
*/

set "kerberosIV" {
	comment "KerberosIV user self-registration utility";
	declare level "disabled" "Disable kerberosIV self-registration";
        file "/usr/bin/register" {
                mode default "4555";
                owner default "root";
                group default "bin";
		mode "disabled" "0000";
		owner "disabled" "root";
		group "disabled" "wheel";
        };
};

set "multicast" {
	comment "Multicast route management (mrinfo, mtrace)";
        declare level "wheel-only" "Restrict to wheel group";
        declare level "root-only" "Restrict to root user";
        declare level "disabled" "Disable multicast utilities";
        file "/usr/sbin/mrinfo" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
	file "/usr/sbin/mtrace" {
                mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
        };
};

set "ppp" {
	comment "Point-to-Point Protocol (PPP) Utilities";
	declare level "disabled" "Disable PPP utilities";
        file "/usr/sbin/ppp" {
                mode default "4550";
                owner default "root";
                group default "network";
		mode "disabled" "0000";
		owner "disabled" "root";
		group "disabled" "wheel";
        };
        file "/usr/sbin/pppd" {
                mode default "4555";
                owner default "root";
                group default "bin";
		mode "disabled" "0000";
		owner "disabled" "root";
		group "disabled" "wheel";
        };
};

set "slip" {
	comment "Serial Line IP (SLIP) Utilities";
	declare level "disabled" "Disable SLIP utilities";
        file "/usr/sbin/sliplogin" {
                mode default "4550";
                owner default "root";
                group default "network";
		mode "disabled" "0000";
		owner "disabled" "root";
		group "disabled" "wheel";
        };
};

set "timed" {
	comment "Time daemon control command";
	declare level "wheel-only" "Restrict to wheel group";
        declare level "root-only" "Restrict to root user";
        declare level "disabled" "Disable timed control command";
	file "/usr/sbin/timedc" {
		mode default "4555";
                owner default "root";
                group default "bin";
                mode "wheel-only" "4550";
                owner "wheel-only" "root";
                group "wheel-only" "wheel";
                mode "root-only" "0500";
                owner "root-only" "root";
                group "root-only" "wheel";
                mode "disabled" "0000";
                owner "disabled" "root";
                group "disabled" "wheel";
	};
};

set "ping" {
    comment "utilities used in network debugging";
    declare level "wheel-only" "Restrict to wheel group";
    declare level "root-only" "Restrict to root user";
    declare level "disabled" "Disable utility";
    file "/sbin/ping" {
        mode default "4555";
	owner default "root";
	group default "bin";
        mode "wheel-only" "4550";
	owner "wheel-only" "root";
	group "wheel-only" "wheel";
        mode "root-only" "0500";
	owner "root-only" "root";
	group "root-only" "wheel";
        mode "disabled" "0000";
	owner "disabled" "root";
	group "disabled" "wheel";
    };
    file "/usr/sbin/traceroute" {
        mode default "4555";
        owner default "root";
        group default "bin";
        mode "wheel-only" "4550";
        owner "wheel-only" "root";
        group "wheel-only" "wheel";
        mode "root-only" "0500";
        owner "root-only" "root";
        group "root-only" "wheel";
        mode "disabled" "0000";
        owner "disabled" "root";
        group "disabled" "wheel";
    };
};

set "route" {
	comment "Route table manipulation tool";
	declare level "wheel-only" "Restrict to wheel group";
	declare level "root-only" "Restrict to root user";
	declare level "disabled" "Disable utility";
        file "/sbin/route" {
                mode default "4555";
                owner default "root";
                group default "bin";
		mode "wheel-only" "4550";
		owner "wheel-only" "root";
		group "wheel-only" "wheel";
		mode "root-only" "0500";
		owner "root-only" "root";
		group "root-only" "wheel";
		mode "disabled" "0000";
		owner "disabled" "root";
		group "disabled" "wheel";
        };
};

set "shutdown" {
	comment "System shutdown command (shutdown)";
	declare level "root-only" "Restrict to root user";
	declare level "disabled" "Disable shutdown utility";
	file "/sbin/shutdown" {
		mode default "4550";
		group default "operator";
		mode "root-only" "0500";
		group "root-only" "wheel";
		mode "disabled" "0000";
		group "disabled" "wheel";
	};
};

