[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?



--- Wichert Akkerman <wichert@wiggy.net> wrote:
> Previously tluxt2@yahoo.com wrote:
> > I think, from a security standpoint, from a fresh install, it would be
> > appropriate to have the default permissions be at most 700 (ie, no bits on
> > in the group & world fields).
> 
> Why?

Because, if those bits are left on (most importantly for the world bits -
perhaps less importantly for the group bits), then, _by default_, nonroot users
will have access to such directories and files.

I think that is a bad default.  It provides a way that non root users have
access to some root information - by default.  Perhaps that information should
not be available to non root users.

So, by default, non root users shouldn't be given access to such things.  So,
by default, those bits should be off.

If root _does_ desire to give nonroot users access to any specific information,
root can easily do that, on a case by case basis.

Perhaps this is analogous to locking the door to one's house.  If you live in
an isolated very small town, where everyone is friends and everyone knows
everyone, you might leave the door of your house unlocked all the time.  But,
if you lived in a big city, you could quickly loose valueable things if you did
that.  So, in a big city, by default, you lock your door.

Wichert, I have this question for you:
My intention here is not to be impolite.  But, to me, the "why" (which I have
just stated above) is obvious.  For some reason, though, (perhaps it wasn't
obvious to you, or perhaps you wanted to know my _specific_ reasons) you wanted
to know my "why" reasons.  I certainly think you must have been aware of the
line of reasoning I gave above - before you asked your question.  So, I am
confused & curious why you asked it.

So, why did you ask that question?

Thanks.  :)


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com



Reply to: