-   Linux - Security (
-   -   Harden file system protections (

AssimovT 03-16-2006 03:16 AM

Harden file system protections
Hello everyone!

I have a "Linux question" concerning the hardening file sytem protections.
Do you guys think that it is wise to set all file system protections to least privelege model, where no "world" permissions exist?
I mean what if I have a script which removes all "world" permissions in all file system and skipping some "not ordinary" folders such as /proc, /dev, /mnt?

Do you think it will spoil all the system? Is there any list on the web which defines that certain files and directories MUST have "other" permissions in order to work properly, ex: /etc/passwd? What if my machine is only used for version control like CVS, thus will it protect system from usage of triggers (Taking into account that later cvsroot is chrooted)

Thank you for your ideas...

jschiwal 03-16-2006 03:49 AM

Some folders need to be world writable, such as in /tmp, /var/tmp, /var/spool/mail. Most distros allow you to have roots mail forwarded to you. There are programs that monitor the filesystems for you and alert you to world writable files and directories. You will also be warned about changed md5 checksums and altered configuration files. You will get a warning about world writable files that aren't required by the system. Read up on the documentation for your distro. I bet you already have a program like this, and it may even be running, but you haven't noticed it before.

AssimovT 03-16-2006 04:30 AM

Thank for your answer.
Do you remember what are these programs for Redhat for example. Do you think of any other files and directories that need read or write or execute world perms?

jschiwal 03-16-2006 05:27 AM

I don't know which program Red Hat uses. You'll need to read the administration manual or use the help system, or google for an answer. Also, read through the root users mail. The system may be sending security check alerts already.

You can use the "find" command to locate files and directories with world writable permissions, and then decide if it is necessary. Also search for suid programs.

All times are GMT -5. The time now is 02:41 PM.