Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-29-2004, 11:16 AM
|
#1
|
Member
Registered: Jan 2003
Location: Central New Jersey
Distribution: Knoppix to play, Slack current, OpenBSD stables
Posts: 111
Rep:
|
/usr/sbin and /sbin world read/executable... why?
I'm slowly learning the ins-and-outs of securing my lovely slack box, and have developed some questions along the way. I was hoping I could bounce two off of the community:
(1) One question in particular, which I haven't seen very informative responses to just yet is the notion of the /usr/sbin and /sbin directories, and why they are chmodded to 555 by default (world readable and executable). It seems dangerous to have all those scripts and binaries open to all users. I known running certain daemons as non root will be a moot point since they can't bind below port 1024 anyway, but things like hdparm, etc... Why are they by default open to the world of users on the machine?
(2) Follow up: Can these directories be chmodded to 550 (owner and group executable, but nothing for world) safely? Will this changes cause untold havoc in random programs, or is this a safe and effective move?
Any advice or directions to other threads or discussion on the subject would be quite lovely! Also, answers don't have to be slack specific, I recognize that this is a cross-distro question.
Thanks!
|
|
|
04-29-2004, 11:43 AM
|
#2
|
Senior Member
Registered: Feb 2003
Distribution: Slackware
Posts: 4,113
Rep: 
|
755 and 750?
Doesn't matter if you can run hdparm - the device files are root:disk and not world-readable, so you can't do anything with it. I can't think of a reason why you couldn't chmod the programs 750 from the system's point of view but you don't want to do that with /usr/bin or even some things in sbin. Unless you set up special groups you, as user:users, wouldn't have permission to them.
Code:
ls -l /usr/bin/tail
-rwxr-xr-x 1 root bin 35244 Sep 18 2003 tail
If that was 750, you couldn't run it and that would suck.
|
|
|
04-29-2004, 05:31 PM
|
#3
|
Member
Registered: Jan 2003
Location: Central New Jersey
Distribution: Knoppix to play, Slack current, OpenBSD stables
Posts: 111
Original Poster
Rep:
|
I understand what you are saying regarding the /usr/bin and /bin directories of the system. My question was regarding the applications in /sbin and /usr/sbin... Any opinions on making these non executable for world, or non readable?
Thanks for the input, though.
|
|
|
04-29-2004, 06:06 PM
|
#4
|
Senior Member
Registered: Feb 2003
Distribution: Slackware
Posts: 4,113
Rep: 
|
Oh. I'm brain-damaged. I read /sbin and /usr/sbin as /usr/bin and /usr/sbin somehow. Sorry about that. No, like I say, most things have safeguards aside from the permissions they have, so I don't know it would help much, but I can't really think of a reason why you couldn't restrict permissions. Might screw up the three-fingered salute or something, and there might be more subtle issues, but it seems doable to me. I got curious and did a little googling and it seems like it is recommended sometimes and I didn't see anything saying *not* to.
This might have been better in Security, incidentally. unSpawn and the security gang would know for sure.
|
|
|
All times are GMT -5. The time now is 09:42 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|