[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Permissions Required On hosts.allow ?

On Fri, 30 Aug 2002 07:38:45 -0400, Edward Guldemond wrote:

>On Thu, Aug 29, 2002 at 02:51:14AM +0100, Nick Boyce wrote:
>> I decided to start locking down permissions on "sensitive" files on a
>> recently installed Woody box, and discovered that when I changed the
>> permissions on "hosts.allow" (and "hosts.deny") to 640 then I could no
>> longer Telnet into the box 
>Maybe this is a lame question in response, but why would users being able
>to see hosts.allow and hosts.deny constitute a security hole?  

It's a not a security _hole_ as such - the point is just that's it's a
bad idea to give an attacker _any_ help whatsoever.  We don't want
them to be able to learn which other machines on the network are
trusted in particular ways ... do we ?

The Wily Hacker has to start with the research phase - general
reconnaisance - and we want to obstruct them wherever possible.

Nick Boyce
Bristol, UK
Bombeck's Rule of Medicine: Never go to a doctor whose office plants have died.

Reply to: