[GTALUG] Linux hardening question
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Thu Jun 29 09:25:13 EDT 2017
On Thu, Jun 29, 2017 at 09:24:09AM -0400, Lennart Sorensen via talk wrote:
> On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> > Christopher Browne via talk wrote:
> > > On 27 June 2017 at 19:53, Kevin Cozens via talk <talk at gtalug.org> wrote:
> > > > You may also want to "chmod 711 /etc", FWIW.
> > >
> > > That means that non-root-space applications will have no access to their
> > > configuration in /etc, thereby breaking services.
> >
> > Umm, no. The x-bit is what you need to access files inside a directory,
> > so a non-root user can still access /etc/resolv.conf and so on. Not
> > having the r-bit means you can't "read" the directory itself and get a
> > list of files in it. So no filename autocompletion for you while you're
> > trying to cat that file!
>
> Without the r bit you can not read the contents of a file.
>
> > However, all the filenames that matter in /etc are fairly canonical and
> > not being able to "ls /etc" isn't really going to slow folk down much,
> > just unnecessarily annoy them.
>
> Yes removing the x bit would probably not be a problem, but removing
> the r bit would.
>
> > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on
> > many key files, the upshot of which was that everything on the "secured"
> > firewall had to run as root and it ended up less secure.
>
> And 711 is no better. 744 might work OK though.
>
> Now if you meant chmod JUST /etc, then sure fine. I think we all thought
> you meant recursively chmod /etc which would be a disaster.
OK that 'you' should have been the person that suggested chmod on /etc.
--
Len Sorensen
More information about the talk
mailing list