LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-16-2006, 03:16 AM   #1
AssimovT
LQ Newbie
 
Registered: Mar 2006
Posts: 2

Rep: Reputation: 0
Question Harden file system protections


Hello everyone!

I have a "Linux question" concerning the hardening file sytem protections.
Do you guys think that it is wise to set all file system protections to least privelege model, where no "world" permissions exist?
I mean what if I have a script which removes all "world" permissions in all file system and skipping some "not ordinary" folders such as /proc, /dev, /mnt?

Do you think it will spoil all the system? Is there any list on the web which defines that certain files and directories MUST have "other" permissions in order to work properly, ex: /etc/passwd? What if my machine is only used for version control like CVS, thus will it protect system from usage of triggers (Taking into account that later cvsroot is chrooted)

Thank you for your ideas...
 
Old 03-16-2006, 03:49 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Some folders need to be world writable, such as in /tmp, /var/tmp, /var/spool/mail. Most distros allow you to have roots mail forwarded to you. There are programs that monitor the filesystems for you and alert you to world writable files and directories. You will also be warned about changed md5 checksums and altered configuration files. You will get a warning about world writable files that aren't required by the system. Read up on the documentation for your distro. I bet you already have a program like this, and it may even be running, but you haven't noticed it before.
 
Old 03-16-2006, 04:30 AM   #3
AssimovT
LQ Newbie
 
Registered: Mar 2006
Posts: 2

Original Poster
Rep: Reputation: 0
Thank for your answer.
Do you remember what are these programs for Redhat for example. Do you think of any other files and directories that need read or write or execute world perms?
 
Old 03-16-2006, 05:27 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I don't know which program Red Hat uses. You'll need to read the administration manual or use the help system, or google for an answer. Also, read through the root users mail. The system may be sending security check alerts already.

You can use the "find" command to locate files and directories with world writable permissions, and then decide if it is necessary. Also search for suid programs.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
An error Occurred during the file system check. Dropping you to shell; the system wil aneikei Linux - Newbie 3 02-11-2010 08:38 PM
figuring out 'file system' and 'swap file system' types TrulyTessa Linux - Newbie 3 09-26-2005 07:46 PM
Memory Page Protections Damaged Soul Programming 2 07-11-2005 07:51 AM
Buffer overflow protections compared ahz Linux - Security 0 01-26-2005 10:54 PM
Harden RedHat danieltkh Linux - Security 3 08-12-2004 05:00 AM


All times are GMT -5. The time now is 03:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration