LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-08-2005, 06:42 PM   #1
juanbobo
Member
 
Registered: Mar 2005
Location: Chicago
Distribution: Gentoo AMD64
Posts: 365

Rep: Reputation: 30
good default permissions?


A while ago I came across a site with these permissions listed as a good default for Slackware I believe...

/bin/ root.root 711
/boot/ root.root 700
/dev/ root.root 711
/dev/audio* root.audio 600
/dev/dsp* root.audio 600
/etc/ root.adm 711
/etc/conf.modules root.adm 640
/etc/cron.daily/ root.adm 750
/etc/cron.hourly/ root.adm 750
/etc/cron.monthly/ root.adm 750
/etc/cron.weekly/ root.adm 750
/etc/crontab root.adm 640
/etc/dhcpcd/ root.adm 750
/etc/dhcpcd/* root.adm 640
/etc/esd.conf root.audio 640
/etc/ftpaccess root.adm 640
/etc/ftpconversions root.adm 640
/etc/ftpgroups root.adm 640
/etc/ftphosts root.adm 640
/etc/ftpusers root.adm 640
/etc/gettydefs root.adm 640
/etc/hosts.allow root.adm 640
/etc/hosts.deny root.adm 640
/etc/hosts.equiv root.adm 640
/etc/inetd.conf root.adm 640
/etc/rc.d/init.d/ root.adm 750
/etc/rc.d/init.d/syslog root.adm 740
/etc/inittab root.adm 640
/etc/ld.so.conf root.adm 640
/etc/lilo.conf root.adm 600
/etc/modules.conf root.adm 640
/etc/motd root.adm 644
/etc/printcap root.lp 640
/etc/profile root.root 644
/etc/rc.d/ root.adm 640
/etc/securetty root.adm 640
/etc/sendmail.cf root.adm 640
/etc/shutdown.allow root.root 600
/etc/ssh_config root.root 644
/etc/ssh_host_key root.adm 640
/etc/ssh_host_key.pub root.adm 644
/etc/sshd_config root.adm 640
/etc/syslog.conf root.adm 640
/etc/updatedb.conf root.adm 640
/home/ root.adm 751
/home/* current 700
/lib/ root.adm 751
/mnt/ root.adm 750
/root/ root.root 700
/sbin/ root.adm 751
/tmp/ root.root 1777
/usr/ root.adm 751
/usr/* root.adm 751
/usr/X11R6/ root.xgrp 751
/usr/bin/ root.adm 751
/usr/bin/* root.root 755
/usr/sbin/ root.adm 751
/usr/sbin/* root.root 755
/var/ root.root 755
/var/log/ root.root 711
/var/log/* root.root 600
/var/spool/mail/ root.mail 771

I am curious of what permissions you all use to secure your box or if you have any comments on those listed.
 
Old 06-10-2005, 05:52 PM   #2
mattLSO
Member
 
Registered: Jun 2005
Posts: 43

Rep: Reputation: 15
Those permissions look pretty good to me, although it doesnt mention permissions on users
actual home dirs, if all users have +x on them and user has used bad permissions on
private directories a mallicious user could use a brute force to enumarate that users folders and
steal their confidential data. I recently had this issue on a shell server so I created a priv dir
which is 700 inside each users home dirs and have warned them to store any sensitive data in here.
It also doesnt mention umasks, if it is not a web server then umask 066 in /etc/profile might be
advisable. Unfortunately my server was a web server and there were too many problems with
users not making their html/cgi's readable and executable, so you have to also find the right
balance between usability and secure permissions.

Regards
 
Old 11-07-2006, 08:05 PM   #3
zhimsel
LQ Newbie
 
Registered: Jul 2006
Posts: 8

Rep: Reputation: 0
What if I have each user's home directory as 700 and the contents with the default permissions? Is that ok/secure?

I have an http(s), ftp, and ssh/telnet servers running. When an unprivileged user logs in to the shell server (and I've logged in as one and tried this), they don't have access to the other users' homes. Would this affect anything that might try to access the user's home directory (since other users have no r/w/x access)? Is this ok?

Also... since my server is public (to some degree, public meaning someone else other than *me* has access), do you think it is ok to let unprivileged users read/"ls" most of my file system? I know that you can lock the user in a chroot "jail" to their home dir (although I haven't got that to work). Or should I not bother, because since they can't change anything, just read it? Plus any sensitive data would be in my home dir, right?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
default permissions crane Linux - Security 1 01-01-2005 12:36 PM
Oh no! Default permissions? Loiosh Fedora 5 12-17-2004 11:35 PM
what are default permissions for /etc timsch75 Slackware 2 08-06-2004 10:34 PM
what are the default permissions figmentium Linux - Newbie 4 12-25-2003 06:50 AM
Need someone to let me know certain default permissions. Nu-Bee Linux - General 2 11-27-2003 07:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration