Re: file permisions in /etc
Marek Habersack wrote: that has to access them. If you really insist on hiding the contents of the /etc directory from an average user and still allowing the programs to access their config files set the /etc permissions to 711. I don't think that is likely to work since bit one is the execute bit and most config files don't need to be executed, just read by the program that needs them. Cheers, Tom
Re: file permisions in /etc
a lot of system programs store their default config file there (lynx comes to mind) so yes there will be issues. there really isnt a reason i can think of that making /etc readable by root only would help security all that much. id suggest making the compiler(s) runable only by root(same for the libraries the compilers use) make users home dirs on another partition mounted with at least the noexec option and make sure there is no directories writable by users(like /tmp) on a partition that is not mounted with such options. I also suggest using a patched kernel (www.openwall.com/linux comes to mind) and install a stackgaurd compiler so anything that IS compiled has some kind of protection(its not perfect but better then nothing in most cases -- note dont compile the kernel with stackgaurd) *burp* nate On Mon, 29 Nov 1999, Evan Moore wrote: evan I have been reading about securing my linux box and it mentions making evan /etc readable only by root. Would this mess up anything by making making evan all of the /etc file permisions 600? evan evan thanks in advance evan evan evan evan evan -- evan Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null evan [mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336http://www.linuxpowered.net/ Powered By:http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMPhttp://yahoo.aphroland.org/ -[mailto:[EMAIL PROTECTED] ]-- 10:57am up 101 days, 22:37, 1 user, load average: 1.90, 1.80, 1.69
Re: file permisions in /etc
* Evan Moore said: I have been reading about securing my linux box and it mentions making /etc readable only by root. Would this mess up anything by making making all of the /etc file permisions 600? Hmm... Is it Microsoft Security Bulletin you've been reading? :))) Seriously, securing /etc in that way would break some 80% of programs out there on your Linux box. Take /etc/passwd for one - (g)libc looks up users in that file (unless you use the DB databases), /etc/group - ditto, /etc/services, /etc/Muttrc, shell global startup scripts and dozens and dozens of others. Making /etc 600 is an excellent example of security by obscurity - a very poor security measure. There *are* config files which should be readable only by root and are used only by programs running as root. There are also files which are read only by a specific program ran with a specific user's rights. These you can make 600 and chown to the user that has to access them. If you really insist on hiding the contents of the /etc directory from an average user and still allowing the programs to access their config files set the /etc permissions to 711. marek pgpVckekQYpJK.pgp Description: PGP signature
Re: file permisions in /etc
On 29/11/99 aphro wrote: id suggest making the compiler(s) runable only by root(same for the libraries the compilers use) i suppose, but that takes the fun out of the system :-) make users home dirs on another partition mounted with at least the noexec option and make sure there is no directories writable by users(like /tmp) on a partition that is not mounted with such options. unfortunately this is easier said then done, the /var filesystem cannot be made noexec without problems and its littered with world writable directories. if you remove tetex you get rid of about half a dozen, but that still leaves /var/tmp and /var/lock (why is /var/lock world writable on debian but not redhat??) i can make a partition for /var/tmp but not /var/lock! also note that if you mount /var/tmp noexec root will have to remount it exec to install any .deb packages. i personally just settle for nosuid on /var/tmp, /tmp /home, /var (/var sometimes has suids though check first) Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
