Hi all,

I have a question regarding non-root permissions under /etc.
Is it safe to change the owner of a subdirectory tree and its files to a non-root user under /etc?.
Could it allow privilege escalation or any other security issues?.

Thanks.

CB.

Any specific reasons in mind why you want to do it?

Try in a non-production Linux box, see how it goes.

Hello JJJCR.

I would just like to know the security implications that this would imply.

Thanks.

CB.

I would say it is not really safe, but would be better to explain what do you want to change exactly.

Hi,

For example, allow the apache user to own the files under /etc/httpd/* and edit them.

CB.

I know about sudoedit, but the question is what security risks would be involved if there were directories and files from a non-root user in /etc.

for example: if the user running apache owned those files a simple security hole will allow the intruder to acces/modify configuration.
If it was owned by root, regular users will not be able to do that.

/opt and /usr/local/bin are for user installed stuff. For apache. That is a whole "separate system" within the system, so yes you (can) give directories their special permissions as needed to allow who or whatever to access the dir and or files within it. To each directory it has its own permissions "to allow or not to allow."

that is the question.

Their is plenty of how to's on setting up an apache Server on the internet. behoove of you to find the one you can understand to use as a guild line. good luck and enjoy.

As others suggested, don't mess up with the /etc permissions but use Apache method on how give permissions to directories within the Apache application.

If I am not wrong you can always change or point the directories to another location and specify the location on Apache.

It would be better if you will open a new thread and ask about Apache configuration if it is needed.

Thanks for your answers.

It's not like I'm going to do something like that, I just want to understand why it should not be done.
If I install an application under /etc/app and change the owner to "app" with the user of the application, I understand that it will be easier to compromise that application than if the owner is root, but, apart from that, what problems can be generated by be under /etc?. What difference would there be if I do the same but under /opt/app?.

Not really a security expert, I believe in most circumstances you don't need to mess up with /etc and /opt directories just to give user permissions.

You can assign a user to a wheel group, sudoers or a steering wheel with a propeller group (just kidding) so they can have permissions to certain directories such as /etc and /opt but then giving permissions to a user who doesn't know what he is doing is just a bad idea.

Or giving a permission to a system folder to a particular user is also not a good idea, well it might be a workaround if you have 2 or 3 users on your network, just give them whole access to a folder so that they won't bother you anymore but then if the system got compromise who will bear the responsibility?