On Thu, Jun 29, 2017 at 09:24:09AM -0400, Lennart Sorensen via talk wrote: > On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote: > > Christopher Browne via talk wrote: > > > On 27 June 2017 at 19:53, Kevin Cozens via talk <[email protected]> wrote: > > > > You may also want to "chmod 711 /etc", FWIW. > > > > > > That means that non-root-space applications will have no access to their > > > configuration in /etc, thereby breaking services. > > > > Umm, no. The x-bit is what you need to access files inside a directory, > > so a non-root user can still access /etc/resolv.conf and so on. Not > > having the r-bit means you can't "read" the directory itself and get a > > list of files in it. So no filename autocompletion for you while you're > > trying to cat that file! > > Without the r bit you can not read the contents of a file. > > > However, all the filenames that matter in /etc are fairly canonical and > > not being able to "ls /etc" isn't really going to slow folk down much, > > just unnecessarily annoy them. > > Yes removing the x bit would probably not be a problem, but removing > the r bit would. > > > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on > > many key files, the upshot of which was that everything on the "secured" > > firewall had to run as root and it ended up less secure. > > And 711 is no better. 744 might work OK though. > > Now if you meant chmod JUST /etc, then sure fine. I think we all thought > you meant recursively chmod /etc which would be a disaster.
OK that 'you' should have been the person that suggested chmod on /etc. -- Len Sorensen --- Talk Mailing List [email protected] https://gtalug.org/mailman/listinfo/talk
