LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-27-2017, 09:24 AM   #1
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: DC
Distribution: RHEL/CentOS
Posts: 1,397
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Hardening /etc/profile.d on RHEL5


I'm in the final steps of hardening a RHEL5 VM (we have extended support with Red Hat, so don't worry about us not having support).

There is a directory under /etc called profile.d. The permissions for the directory are the following:

Code:
[root@server etc]# ls -al | grep -i profile
drwxr-xr-x   2 root   root       4096 Aug 25  2015 profile.d
[root@server etc]# cd profile
The files in that directory look like this and have world readable and executable, which concerns me.

Code:
[root@server profile.d]# ls -al
total 144
drwxr-xr-x   2 root root  4096 Aug 25  2015 .
drwxr-xr-x 104 root root 12288 Oct 27 04:06 ..
-rwxr-xr-x   1 root root   766 Mar 14  2012 colorls.csh
-rwxr-xr-x   1 root root   727 Mar 14  2012 colorls.sh
-rwxr-xr-x   1 root root   192 Mar  9  2009 glib2.csh
-rwxr-xr-x   1 root root   192 Mar  9  2009 glib2.sh
-rwxr-xr-x   1 root root    58 Jan  4  2012 gnome-ssh-askpass.csh
-rwxr-xr-x   1 root root    70 Jan  4  2012 gnome-ssh-askpass.sh
-rw-r--r--   1 root root   218 Sep  3  2014 krb5-workstation.csh
-rw-r--r--   1 root root   229 Sep  3  2014 krb5-workstation.sh
-rwxr-xr-x   1 root root  3015 Mar 19  2014 lang.csh
-rwxr-xr-x   1 root root  3466 Mar 19  2014 lang.sh
-rwxr-xr-x   1 root root   122 Nov 11  2011 less.csh
-rwxr-xr-x   1 root root   108 Nov 11  2011 less.sh
-rwxr-xr-x   1 root root    97 Jul 10  2012 vim.csh
-rwxr-xr-x   1 root root   293 Jul 10  2012 vim.sh
-rwxr-xr-x   1 root root   170 Jul 14  2006 which-2.sh
I read thru this:

https://unix.stackexchange.com/quest...c-profile-d-do

However I'm still not clear on what /etc/profile.d role is, what these scripts do, and why they need the permissions they do. No man or info pages for this directory either.

I want to drop the world readable and executable permissions, along with executable for group.

Any ideas or insight?

thanks

Last edited by JockVSJock; 10-27-2017 at 09:33 AM.
 
Old 10-27-2017, 10:02 AM   #2
rtmistler
Moderator
 
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,355
Blog Entries: 13

Rep: Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411
Since these files are in the root group, if you drop the r-x for World, then the only user who can read and execute these files will be root.

The other part is exactly what the stack overflow question also answers.

These are application specific startup files.

And you can tell that by the names of these files.

Therefore everyone either needs colorls and the specific startup settings, or they do not. And same for the rest of the list.
 
Old 10-27-2017, 11:52 AM   #3
MadeInGermany
Senior Member
 
Registered: Dec 2011
Location: Simplicity
Posts: 1,768

Rep: Reputation: 797Reputation: 797Reputation: 797Reputation: 797Reputation: 797Reputation: 797Reputation: 797
Interesting that two of the files are not executable.
I guess that /etc/profile sources them, so there is a need for read but not for execution.
On the other hand, the files do not harm, and are not in the user's path.
--
For each file you can determine the software package, for example
Code:
rpm -qf /etc/profile.d/colorls.sh
 
Old 10-27-2017, 12:37 PM   #4
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: DC
Distribution: RHEL/CentOS
Posts: 1,397

Original Poster
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Good way to put it, as /etc/profile.d is not in anyone's path.

However it is confusing and I don't want to break the VM.

I've change the directory and all of the file to 640 permissions.


Quote:
Originally Posted by MadeInGermany View Post
On the other hand, the files do not harm, and are not in the user's path.
 
Old 10-27-2017, 01:46 PM   #5
sgrlscz
Member
 
Registered: Aug 2008
Posts: 123

Rep: Reputation: 84
It may break things to remove them, and at a minimum it will change behavior (e.g. ls won't use colors by default, etc.).

They are not in anyone's path, but they are sourced by /etc/profile, so without read access, they will no longer be sourced when loaded, and may cause errors to be displayed on login if the /etc/profile on RHEL 5 doesn't check for readability first (I've seen that on some distributions, especially older ones).

The files are put in /etc/profile.d so that packages don't have to edit /etc/profile to get the proper default setup or have each user manually update their environment. It provides a clean way for packages to provide common aliases, environment variables, and updates to the path.
 
1 members found this post helpful.
  


Reply

Tags
profile.d, rhel5


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Ok to copy and rename Chromium profile folder to use as Chrome profile? linustalman Linux - Software 4 01-10-2017 08:54 AM
Linux hardening and mysql hardening sagar666 Linux - Server 3 06-18-2014 11:47 PM
[SOLVED] How to import Thunderbird Profile backup containng mail archive with Profile Manager? Beukel Linux - Newbie 2 02-16-2014 03:01 AM
/etc/profile not getting executed on RHEL5 box kk2202 Red Hat 1 09-29-2009 07:21 AM
RHEL5 X-windows login- /etc/profile not being used by KSH users only caseybea Red Hat 0 06-03-2008 10:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration