[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: root's home world readable

"Noah L. Meyerhans" <frodo@morgul.net> writes:

> On Mon, Jan 21, 2002 at 09:45:50PM +0000, Tim Haynes wrote:
> > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that
>> > case? Clearly there are individual files that you don't want
>> > world-readable, but that's true for normal users' home dirs as well.
>> Why do you want folks to be able to *see* that you have a .my.conf in
>> there?
> What difference does it make? They know you have an /etc/shadow,
> /var/mail/$USER, ~/.bash_history, etc etc etc.

1 out of 3 ain't bad, apparently.

> Those don't need to be in read-protected directories. They can 'ls' them
> all they want, but it won't get them anywhere.

This is where the per-file permissions come in. See below.

>> Directory and file permissions work together; block r on the dir and the
>> users won't be able to _ls_ in it. Block permissions on the file as
>> well, and they won't be able to read it should they guess its existence.
>> All to the good, as far as I'm concerned!
> Multiple layers of security are one thing, but this doesn't get you
> anything. Compromise one layer and you've necessarily compromised the
> other.

What makes you think .my.conf is the *only* thing I'm going to want to keep
in /root/?

Permissions on the directory are not only a necessary part of protecting
the contents, but a forward-looking prevention against the day you choose
to store your "firewall.sh" in there for all to see as well. And your
ipv6.sh. And...


Reply to: