[GTALUG] Linux hardening question
Kevin Cozens
kevin at ve3syb.ca
Sat Jul 1 14:54:51 EDT 2017
On 2017-06-28 10:05 AM, Lennart Sorensen wrote:
> On Tue, Jun 27, 2017 at 07:53:02PM -0400, Kevin Cozens via talk wrote:
>> You may also want to "chmod 711 /etc", FWIW.
>
> How well does that work out? So regular users (and services not running
> as root) can't resolve dns anymore (can't read nsswitch.conf or
> resolv.conf). That sounds inconvinient.
It works out well. I've been doing it for years. It seems some people
somehow misread or misunderstood the chmod. I meant "chmod" and definitely
not "chmod -R" as I think some people chose to interpret it.
It will inconvenience someone needing to do something on the machine where
they have to look at some file in /etc. They will typically to su to root
first or use sudo.
The main idea is that it limits some of the casual poking around on the
machine that some non-root, non-staff users of the machine may want to do.
It won't do much to slow down some system cracker who manages to illegally
gain access to a system.
BTW, I liked that comment about temporarily changing perms on /tmp just to
mess with the heads of some users. :)
--
Cheers!
Kevin.
http://www.ve3syb.ca/ |"Nerds make the shiny things that distract
Owner of Elecraft K2 #2172 | the mouth-breathers, and that's why we're
| powerful!"
#include <disclaimer/favourite> | --Chris Hardwick
More information about the talk
mailing list