I tend to chmod 4750 any setuid root binaries so that only people in wheel can execute them. Could help prevent a local privilege escalation if someone manages to obtain uid nobody via Apache or some other service, or you just have untrusted users on your system.
I also chmod 700 all home directories to prevent users snooping through each others files -- the amount of times I've come across 'passwords.txt'-like files is alarming!
|