Re: permissions

[Ray Olszewski]

At 06:15 PM 5/28/01 +0200, Tom Beer wrote:
>Hi,
>
>I know how to apply group / world permission,
>but e.g. can I do a chmod 700 to /etc/passwd ?
>and it'll works? I mean what is the underlying
>structure of the permissions?


Ooph! This is a tough one. The short answer is that there is no easily
described "underlying structure". As a general rule:

        a lot of files need to be readable by many applications,
                so they are mode 644. /etc/passwd is like that,
                since many programs need to verify the presence
                of an account on a system. If you chmod it to
                600 (not 700, since that makes it executable),
                some of them will break. (So the answer to your
                "e.g." above is NO, for the interesting meanings
                of "works".)

        many applications need to be run by any user, so they are
                mode 711 (compiled apps) or 755 (shell script and 
                Perl programs). Almost any Unix/Linux command you
                run from the command line is like that. Changing
                this will make things break for your users.

        some applications need to run with special privileges, even
                when run by an ordinary user (/bin/passwd is the 
                most familiar example), so they have the "setuid"
                bit set, allowing them to run with the access levels
                of their owners, not their uses. Chaning this will
                make things break.

As a general guide for a beginner (and this is a list for beginners, after
all) ... if you are using any of the major Linux distributions, you should
assume that the permissions for system files are right, or almost right.
Change specific things for specific reasons, but expect that the system will
break if you try making wholesale changes.

One thing you can safely do is change the mode of directories in /home .
They often default to 755, allowing any user to see, read, and execute files
in another's home directory. Changing this to 700 will protect users from
one another.

If you have specific sorts of security-related additions you want to add to
your system, your best bet is to describe here what you have in mind. Then
possibly someone can make suggestions about how to make it work. 


--
------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA                                    [EMAIL PROTECTED]        
----------------------------------------------------------------

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.linux-learn.org/faqs