[GTALUG] Linux hardening question

Anthony de Boer adb at adb.ca
Thu Jun 29 10:18:26 EDT 2017


Lennart Sorensen wrote:
> On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on
> > many key files, the upshot of which was that everything on the "secured"
> > firewall had to run as root and it ended up less secure.
> 
> And 711 is no better.  744 might work OK though.

You mean "OK" in the "OK if you want to really torque nonroot users
off" sense, right?

Just for fun, try "chmod 744 /etc" in a root shell, then "ls -la /etc"
from a nonroot shell.  Then change it back to 755 and deal with any other
users wondering why the machine did a weird there.  (For extra points, do
this on a nonshared machine!)

Things like ls get really confused if they can see that the files are
there but can't even stat them let alone any other access.  Users
staring at all that STDERR don't fare much better.

-- 
Anthony de Boer


More information about the talk mailing list