I've moved our old RH9 server to FC5 (after what looked to be an SSL exploit) and am continuing the process of locking it down as best I can. File/directory permissions are an area I'm curious about.

I notice that by default, files are created with 644, while directories are created with 755. Pardon my paranoia, but why does the 'others' group get any permissions at all?

This is more odd if considering that nearly everything I do on the box is as root. I'd think that anything created by root would have 'others' set to zero, but perhaps I'm newbish.

So, assuming that I'd rather be on the safe side and default to 640 and 750 (unless someone can convince me otherwise), is there some setting to change that will allow me to do that? Or am I stuck with something like a daily cron to 'chmod -R o= /*' to always cover my back?

If you're asking if you can change how you create new files the answer is sure. Just change your umask.

If you're asking if you can change existing system files the answer is it depends on the file. Many tools utilities expect certain permissions, ownerships and groups on certain files and will interpret changes to those things as security issues. You'd want to be sure you knew what the specific files were used for and by before changing them.

Some distro's (Mandrake for example) will create both a new user and a matching group, so if your username is jsmith, your default group will also be jsmith. Others create a new user and use a group called users as the default group. If this is the case, you can create a new group for each user as well by the same name as the username and make that their default group. You can also change the umask value in /etc/profile so that new files are created with read/write privileges only for the owner.

You can use the find command to find files in your home directory (and subdirectories) that have group or other privileges, ( See the "info find" manual ) and then use the -execdir argument to carry out a "chmod" command.

Many system files like /etc/fstab and /etc/password need to be world readable for you system to function, and some have ownerships other than root. A bulk chown or chmod command in a cron command is a bad idea for system files.

You can perform a query verify on rpm installed packages. That is a way to find if default permissions have been changed.

Remember that SELinux settings can effect who can read what config files. If you have a problem with a config file not working check the selinux logs to see if the program is being blocked from reading its own configuration.

Excellent. The umask man page has lots of other goodies to check out, too.

So, my umask is 0022. I'm guessing I should change this to 0027 for my intended purpose, yes?

Jlightner, can you give me an example of tools that need certain permissions that involve the others group? I'd like to make sure I don't cross the line to crippling some service.

Hard for me to think of a good list at the moment because I do UNIX as well and most of what's coming to mind is on UNIX. Basically I'd suggest being careful about changing anything under /usr/bin, /usr/sbin, /bin, /sbin, /etc, and of course / itself and some of the other main sub-directories there. Home directories in /home are fairly safe (assuming you haven't installed an app in one of them). Things in /usr/local may be safe. /opt you'd want to check the specific apps.

A program that runs as a system user in a chroot jail will often have files owned by that user instead of by root. For example, cups may use lp instead of root. Look in /var/run for others like "mail".