Re: root's home world readable
"Noah L. Meyerhans" <frodo@morgul.net> writes:
> On Mon, Jan 21, 2002 at 09:45:50PM +0000, Tim Haynes wrote:
> > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that
>> > case? Clearly there are individual files that you don't want
>> > world-readable, but that's true for normal users' home dirs as well.
>>
>> Why do you want folks to be able to *see* that you have a .my.conf in
>> there?
>
> What difference does it make? They know you have an /etc/shadow,
> /var/mail/$USER, ~/.bash_history, etc etc etc.
1 out of 3 ain't bad, apparently.
> Those don't need to be in read-protected directories. They can 'ls' them
> all they want, but it won't get them anywhere.
This is where the per-file permissions come in. See below.
>> Directory and file permissions work together; block r on the dir and the
>> users won't be able to _ls_ in it. Block permissions on the file as
>> well, and they won't be able to read it should they guess its existence.
>> All to the good, as far as I'm concerned!
>
> Multiple layers of security are one thing, but this doesn't get you
> anything. Compromise one layer and you've necessarily compromised the
> other.
What makes you think .my.conf is the *only* thing I'm going to want to keep
in /root/?
Permissions on the directory are not only a necessary part of protecting
the contents, but a forward-looking prevention against the day you choose
to store your "firewall.sh" in there for all to see as well. And your
ipv6.sh. And...
~Tim
--
<http://spodzone.org.uk/>
Reply to: