Re: Permissions Required On hosts.allow ?

To: debian-security@lists.debian.org
Subject: Re: Permissions Required On hosts.allow ?
From: Nick Boyce <nick@glimmer.demon.co.uk>
Date: Mon, 02 Sep 2002 04:18:07 +0100
Message-id: <[🔎] ssk5nuo8gul0ord7m8leggcpmh9afa2fav@4ax.com>
In-reply-to: <20020830113845.GA3714@yifan.net>
References: <5ouqmukg06nmcbsa6id887948c1o5uedf2@4ax.com> <20020830113845.GA3714@yifan.net>

On Fri, 30 Aug 2002 07:38:45 -0400, Edward Guldemond wrote:

>On Thu, Aug 29, 2002 at 02:51:14AM +0100, Nick Boyce wrote:
>> 
>> I decided to start locking down permissions on "sensitive" files on a
>> recently installed Woody box, and discovered that when I changed the
>> permissions on "hosts.allow" (and "hosts.deny") to 640 then I could no
>> longer Telnet into the box 
[...]
>
>Maybe this is a lame question in response, but why would users being able
>to see hosts.allow and hosts.deny constitute a security hole?  

It's a not a security _hole_ as such - the point is just that's it's a
bad idea to give an attacker _any_ help whatsoever.  We don't want
them to be able to learn which other machines on the network are
trusted in particular ways ... do we ?

The Wily Hacker has to start with the research phase - general
reconnaisance - and we want to obstruct them wherever possible.

Cheers,
Nick Boyce
Bristol, UK
--
Bombeck's Rule of Medicine: Never go to a doctor whose office plants have died.

Reply to:

Prev by Date: Re: Permissions Required On hosts.allow ?
Next by Date: Re: Permissions Required On hosts.allow ?
Previous by thread: Re: Permissions Required On hosts.allow ?
Next by thread: Re: Permissions Required On hosts.allow ?
Index(es):
- Date
- Thread