Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-05-2007, 05:04 PM
|
#1
|
Member
Registered: Mar 2005
Location: Arkansas
Distribution: Mandy 2006, FC5
Posts: 154
Rep:
|
Can I set default file/directory permission levels?
I've moved our old RH9 server to FC5 (after what looked to be an SSL exploit) and am continuing the process of locking it down as best I can. File/directory permissions are an area I'm curious about.
I notice that by default, files are created with 644, while directories are created with 755. Pardon my paranoia, but why does the 'others' group get any permissions at all?
This is more odd if considering that nearly everything I do on the box is as root. I'd think that anything created by root would have 'others' set to zero, but perhaps I'm newbish.
So, assuming that I'd rather be on the safe side and default to 640 and 750 (unless someone can convince me otherwise), is there some setting to change that will allow me to do that? Or am I stuck with something like a daily cron to 'chmod -R o= /*' to always cover my back?
|
|
|
01-05-2007, 05:21 PM
|
#2
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
If you're asking if you can change how you create new files the answer is sure. Just change your umask.
If you're asking if you can change existing system files the answer is it depends on the file. Many tools utilities expect certain permissions, ownerships and groups on certain files and will interpret changes to those things as security issues. You'd want to be sure you knew what the specific files were used for and by before changing them.
|
|
|
01-05-2007, 05:30 PM
|
#3
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Some distro's (Mandrake for example) will create both a new user and a matching group, so if your username is jsmith, your default group will also be jsmith. Others create a new user and use a group called users as the default group. If this is the case, you can create a new group for each user as well by the same name as the username and make that their default group. You can also change the umask value in /etc/profile so that new files are created with read/write privileges only for the owner.
You can use the find command to find files in your home directory (and subdirectories) that have group or other privileges, ( See the "info find" manual ) and then use the -execdir argument to carry out a "chmod" command.
Many system files like /etc/fstab and /etc/password need to be world readable for you system to function, and some have ownerships other than root. A bulk chown or chmod command in a cron command is a bad idea for system files.
You can perform a query verify on rpm installed packages. That is a way to find if default permissions have been changed.
Remember that SELinux settings can effect who can read what config files. If you have a problem with a config file not working check the selinux logs to see if the program is being blocked from reading its own configuration.
Last edited by jschiwal; 01-05-2007 at 05:39 PM.
|
|
|
01-05-2007, 05:38 PM
|
#4
|
Member
Registered: Mar 2005
Location: Arkansas
Distribution: Mandy 2006, FC5
Posts: 154
Original Poster
Rep:
|
Excellent. The umask man page has lots of other goodies to check out, too.
So, my umask is 0022. I'm guessing I should change this to 0027 for my intended purpose, yes?
Jlightner, can you give me an example of tools that need certain permissions that involve the others group? I'd like to make sure I don't cross the line to crippling some service.
|
|
|
01-05-2007, 06:09 PM
|
#5
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
Hard for me to think of a good list at the moment because I do UNIX as well and most of what's coming to mind is on UNIX. Basically I'd suggest being careful about changing anything under /usr/bin, /usr/sbin, /bin, /sbin, /etc, and of course / itself and some of the other main sub-directories there. Home directories in /home are fairly safe (assuming you haven't installed an app in one of them). Things in /usr/local may be safe. /opt you'd want to check the specific apps.
|
|
|
01-05-2007, 06:21 PM
|
#6
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
A program that runs as a system user in a chroot jail will often have files owned by that user instead of by root. For example, cups may use lp instead of root. Look in /var/run for others like "mail".
|
|
|
All times are GMT -5. The time now is 07:59 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|