[GTALUG] Linux hardening question
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Thu Jun 29 09:24:09 EDT 2017
On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> Christopher Browne via talk wrote:
> > On 27 June 2017 at 19:53, Kevin Cozens via talk <talk at gtalug.org> wrote:
> > > You may also want to "chmod 711 /etc", FWIW.
> >
> > That means that non-root-space applications will have no access to their
> > configuration in /etc, thereby breaking services.
>
> Umm, no. The x-bit is what you need to access files inside a directory,
> so a non-root user can still access /etc/resolv.conf and so on. Not
> having the r-bit means you can't "read" the directory itself and get a
> list of files in it. So no filename autocompletion for you while you're
> trying to cat that file!
Without the r bit you can not read the contents of a file.
> However, all the filenames that matter in /etc are fairly canonical and
> not being able to "ls /etc" isn't really going to slow folk down much,
> just unnecessarily annoy them.
Yes removing the x bit would probably not be a problem, but removing
the r bit would.
> Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on
> many key files, the upshot of which was that everything on the "secured"
> firewall had to run as root and it ended up less secure.
And 711 is no better. 744 might work OK though.
Now if you meant chmod JUST /etc, then sure fine. I think we all thought
you meant recursively chmod /etc which would be a disaster.
--
Len Sorensen
More information about the talk
mailing list