LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   /usr/sbin and /sbin world read/executable... why? (http://www.linuxquestions.org/questions/slackware-14/usr-sbin-and-sbin-world-read-executable-why-175945/)

lazlow69 04-29-2004 10:16 AM

/usr/sbin and /sbin world read/executable... why?
 
I'm slowly learning the ins-and-outs of securing my lovely slack box, and have developed some questions along the way. I was hoping I could bounce two off of the community:

(1) One question in particular, which I haven't seen very informative responses to just yet is the notion of the /usr/sbin and /sbin directories, and why they are chmodded to 555 by default (world readable and executable). It seems dangerous to have all those scripts and binaries open to all users. I known running certain daemons as non root will be a moot point since they can't bind below port 1024 anyway, but things like hdparm, etc... Why are they by default open to the world of users on the machine?

(2) Follow up: Can these directories be chmodded to 550 (owner and group executable, but nothing for world) safely? Will this changes cause untold havoc in random programs, or is this a safe and effective move?

Any advice or directions to other threads or discussion on the subject would be quite lovely! Also, answers don't have to be slack specific, I recognize that this is a cross-distro question.

Thanks!

slakmagik 04-29-2004 10:43 AM

755 and 750?

Doesn't matter if you can run hdparm - the device files are root:disk and not world-readable, so you can't do anything with it. I can't think of a reason why you couldn't chmod the programs 750 from the system's point of view but you don't want to do that with /usr/bin or even some things in sbin. Unless you set up special groups you, as user:users, wouldn't have permission to them.
Code:

ls -l /usr/bin/tail
-rwxr-xr-x    1 root    bin        35244 Sep 18  2003 tail

If that was 750, you couldn't run it and that would suck.

lazlow69 04-29-2004 04:31 PM

I understand what you are saying regarding the /usr/bin and /bin directories of the system. My question was regarding the applications in /sbin and /usr/sbin... Any opinions on making these non executable for world, or non readable?

Thanks for the input, though.

slakmagik 04-29-2004 05:06 PM

Oh. I'm brain-damaged. I read /sbin and /usr/sbin as /usr/bin and /usr/sbin somehow. Sorry about that. No, like I say, most things have safeguards aside from the permissions they have, so I don't know it would help much, but I can't really think of a reason why you couldn't restrict permissions. Might screw up the three-fingered salute or something, and there might be more subtle issues, but it seems doable to me. I got curious and did a little googling and it seems like it is recommended sometimes and I didn't see anything saying *not* to.

This might have been better in Security, incidentally. unSpawn and the security gang would know for sure.


All times are GMT -5. The time now is 03:58 PM.