[GTALUG] Linux hardening question
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Thu Jun 29 15:20:40 EDT 2017
On Thu, Jun 29, 2017 at 10:18:26AM -0400, Anthony de Boer via talk wrote:
> Lennart Sorensen wrote:
> > On Wed, Jun 28, 2017 at 07:21:55PM -0400, Anthony de Boer via talk wrote:
> > > Many years ago a coworker tried "chmod 700" on /etc etc, and chmod 600 on
> > > many key files, the upshot of which was that everything on the "secured"
> > > firewall had to run as root and it ended up less secure.
> >
> > And 711 is no better. 744 might work OK though.
>
> You mean "OK" in the "OK if you want to really torque nonroot users
> off" sense, right?
>
> Just for fun, try "chmod 744 /etc" in a root shell, then "ls -la /etc"
> from a nonroot shell. Then change it back to 755 and deal with any other
> users wondering why the machine did a weird there. (For extra points, do
> this on a nonshared machine!)
>
> Things like ls get really confused if they can see that the files are
> there but can't even stat them let alone any other access. Users
> staring at all that STDERR don't fare much better.
I find accidentally changing permissions on /tmp a much better way to
get people confused and annoyed at you.
--
Len Sorensen
More information about the talk
mailing list