Hardening /etc/profile.d on RHEL5

JockVSJock · 10-27-2017, 09:24 AM

I'm in the final steps of hardening a RHEL5 VM (we have extended support with Red Hat, so don't worry about us not having support).

There is a directory under /etc called profile.d. The permissions for the directory are the following:

Code:

[root@server etc]# ls -al | grep -i profile
drwxr-xr-x   2 root   root       4096 Aug 25  2015 profile.d
[root@server etc]# cd profile

The files in that directory look like this and have world readable and executable, which concerns me.

Code:

[root@server profile.d]# ls -al
total 144
drwxr-xr-x   2 root root  4096 Aug 25  2015 .
drwxr-xr-x 104 root root 12288 Oct 27 04:06 ..
-rwxr-xr-x   1 root root   766 Mar 14  2012 colorls.csh
-rwxr-xr-x   1 root root   727 Mar 14  2012 colorls.sh
-rwxr-xr-x   1 root root   192 Mar  9  2009 glib2.csh
-rwxr-xr-x   1 root root   192 Mar  9  2009 glib2.sh
-rwxr-xr-x   1 root root    58 Jan  4  2012 gnome-ssh-askpass.csh
-rwxr-xr-x   1 root root    70 Jan  4  2012 gnome-ssh-askpass.sh
-rw-r--r--   1 root root   218 Sep  3  2014 krb5-workstation.csh
-rw-r--r--   1 root root   229 Sep  3  2014 krb5-workstation.sh
-rwxr-xr-x   1 root root  3015 Mar 19  2014 lang.csh
-rwxr-xr-x   1 root root  3466 Mar 19  2014 lang.sh
-rwxr-xr-x   1 root root   122 Nov 11  2011 less.csh
-rwxr-xr-x   1 root root   108 Nov 11  2011 less.sh
-rwxr-xr-x   1 root root    97 Jul 10  2012 vim.csh
-rwxr-xr-x   1 root root   293 Jul 10  2012 vim.sh
-rwxr-xr-x   1 root root   170 Jul 14  2006 which-2.sh

I read thru this:

https://unix.stackexchange.com/quest...c-profile-d-do

However I'm still not clear on what /etc/profile.d role is, what these scripts do, and why they need the permissions they do. No man or info pages for this directory either.

I want to drop the world readable and executable permissions, along with executable for group.

Any ideas or insight?

thanks

rtmistler · 10-27-2017, 10:02 AM

Since these files are in the root group, if you drop the r-x for World, then the only user who can read and execute these files will be root.

The other part is exactly what the stack overflow question also answers.

These are application specific startup files.

And you can tell that by the names of these files.

Therefore everyone either needs colorls and the specific startup settings, or they do not. And same for the rest of the list.

MadeInGermany · 10-27-2017, 11:52 AM

Interesting that two of the files are not executable.
I guess that /etc/profile sources them, so there is a need for read but not for execution.
On the other hand, the files do not harm, and are not in the user's path.
--
For each file you can determine the software package, for example

Code:

rpm -qf /etc/profile.d/colorls.sh

JockVSJock · 10-27-2017, 12:37 PM

Good way to put it, as /etc/profile.d is not in anyone's path.

However it is confusing and I don't want to break the VM.

I've change the directory and all of the file to 640 permissions.

Quote:

Originally Posted by MadeInGermany

On the other hand, the files do not harm, and are not in the user's path.

sgrlscz · 10-27-2017, 01:46 PM

It may break things to remove them, and at a minimum it will change behavior (e.g. ls won't use colors by default, etc.).

They are not in anyone's path, but they are sourced by /etc/profile, so without read access, they will no longer be sourced when loaded, and may cause errors to be displayed on login if the /etc/profile on RHEL 5 doesn't check for readability first (I've seen that on some distributions, especially older ones).

The files are put in /etc/profile.d so that packages don't have to edit /etc/profile to get the proper default setup or have each user manually update their environment. It provides a clean way for packages to provide common aliases, environment variables, and updates to the path.