Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Would you recommend chmod -R 755 * from / as a general permissions security blanket? What are the drawbacks to this approach? I haven't really seen a catch-all recomendation like this in tutorials, but it is what I have done. Just wondering if there are better possibilities (I am a single user).
I wouldn't recommend that at all... I always use a default umask of 077 which means new files will be rwx for the owner only, and have no access for anyone else.
However, most people find 022 more reasonable, which gives you the 755 permissions you mentioned.
Be careful about your sudo config if you use sudo however, that should never be writable for anyone.
@CodeFish: In fact that is an exceedingly bad idea. You need to be very careful when modifying file permissions, especially when it comes to critical system files. By giving everything 755 permissions, you'd allow anyone to read the password hashes in /etc/passwd or /etc/shadow, which could then be bruteforced rather trivially. You'd also allow anyone to read each others private encryption keys (like ssh private keys), read your firewall rulesets, daemon configuration files, and other critical files that shouldn't be readable except to root. You'd also be allowing anyone on the system to execute any command as well. So joe user could fireup fdisk and blow away your entire filesystem. I'd also bet that you'd experience some random problems with applications trying to use temporary files as many applications need fairly lenient file permissions in /tmp.
It may seem like none of that may apply to someone on a single user system, but file system permissions are an integral part in security and by weakening them, you are making it significantly easier for someone to compromise or damage your system. If you are interested in locking down file permissions, take a look at tools like bastille, Mandrakes built-in security tool called msec or even something like grsecurity instead.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
