Re: Permissions Required On hosts.allow ?
On Fri, 30 Aug 2002 07:38:45 -0400, Edward Guldemond wrote:
>On Thu, Aug 29, 2002 at 02:51:14AM +0100, Nick Boyce wrote:
>> I decided to start locking down permissions on "sensitive" files on a
>> recently installed Woody box, and discovered that when I changed the
>> permissions on "hosts.allow" (and "hosts.deny") to 640 then I could no
>> longer Telnet into the box
>Maybe this is a lame question in response, but why would users being able
>to see hosts.allow and hosts.deny constitute a security hole?
It's a not a security _hole_ as such - the point is just that's it's a
bad idea to give an attacker _any_ help whatsoever. We don't want
them to be able to learn which other machines on the network are
trusted in particular ways ... do we ?
The Wily Hacker has to start with the research phase - general
reconnaisance - and we want to obstruct them wherever possible.
Bombeck's Rule of Medicine: Never go to a doctor whose office plants have died.