On Mon Jun 30, 2003 at 02:12:35PM -0500, Praedor Atrebates wrote: > > > at all. I went into DrakConf and set the security level to "high" and > > > this fixed the horrific insecurity of the default setup, but it also > > > unfortunately fired up shorewall with settings that prevented me from > > > being able to access the system remotely > > I see...but is it really a good idea to permit execute perms to any and > sundry? I used to think that if there were a linux virus/worm to be > concerned about that the worst that could happen under normal circumstances > is that a user who received and executed a viral script would possibly trash > his own home and that's it. Now I see that this is not accurate...ALL users > could trash their homes by executing a bad script/executable in ANY infected > user's home. The default setup makes this possible...and most <new> users > wont bother (or think to bother) to change home perms.
I don't think you understand the relevance of the execute bit on a directory versus on a file. On a directory, execute permissions let you into the directory. That's it. It doesn't allow you to execute stuff in the directory, it doesn't allow you to get the directory contents, and it doesn't allow you to write to the directory. For all intents and purposes, you can do a cd ~vdanen and see, touch, etc. absolutely nothing unless those permissions provided it *and* you know what you're looking for. This is why it's used when people do the ~/public_html/ bit. apache needs to get into ~/ in order to get into ~/public_html. Giving it the ability to do so is not, by itself, a security flaw. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
