[GTALUG] Linux hardening question
Anthony de Boer
adb at adb.ca
Wed Jun 28 19:21:55 EDT 2017
Christopher Browne via talk wrote:
> On 27 June 2017 at 19:53, Kevin Cozens via talk <talk at gtalug.org> wrote:
> > You may also want to "chmod 711 /etc", FWIW.
>
> That means that non-root-space applications will have no access to their
> configuration in /etc, thereby breaking services.
Umm, no. The x-bit is what you need to access files inside a directory,
so a non-root user can still access /etc/resolv.conf and so on. Not
having the r-bit means you can't "read" the directory itself and get a
list of files in it. So no filename autocompletion for you while you're
trying to cat that file!
However, all the filenames that matter in /etc are fairly canonical and
not being able to "ls /etc" isn't really going to slow folk down much,
just unnecessarily annoy them.
Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on
many key files, the upshot of which was that everything on the "secured"
firewall had to run as root and it ended up less secure.
--
Anthony de Boer
More information about the talk
mailing list