Re: Permissions on /root/

To: debian-security@lists.debian.org
Subject: Re: Permissions on /root/
From: Jan Eringa <jan.eringa@orbian.com>
Date: Mon, 10 Mar 2003 14:59:27 +0000
Message-id: <[🔎] 200303101459.28049.jan.eringa@orbian.com>
Reply-to: jan.eringa@orbian.com
In-reply-to: <[🔎] 20030308174743.GC16208@vnl.com>
References: <[🔎] 20030308110213.GB11749@heimdall.wolfheart.ro> <[🔎] 20030308171213.GD17253@heimdall.wolfheart.ro> <[🔎] 20030308174743.GC16208@vnl.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd like to cast a vote for more restrictive permisions as well
Access to files & directories should be as restrictive as possible
out of the box. If a user or 3rd party app need more access to any
given area I'll give it as long as it doesn't break the security poilicy.

/root is one place regular users should never be allowed to look into
/var/log IMHO is another (but that is another flame war :)

I also like change the default umask in the root & users profiles
to 0027 or 0077 wherever I can.
Trimming out unwanted packages from the default minimal  install is another
place I seem to spend some time :(



Jan.


On Saturday 08 Mar 2003 5:47 pm, Dale Amon wrote:
: On Sat, Mar 08, 2003 at 07:12:13PM +0200, Birzan George Cristian wrote:
: > I've talked with several other friends, and most of them (5 to 1),
: > agreed that /root/ shouldn't be 755, but something more restrictive.
:
: I'm in agreement as well. I use /root as a common
: communication area among admin staff. Admin staff
: have their own home directories but prefer them keep
: them private. /root is a good place to put things
: which are intended to be "public" to the admin
: group. sudo is fine for doing many things, but not
: everything.
:
: I use cfengine2 to force it at least to 750. I also
: use cfengine2 to enforce all sorts of harsher
: preferences so that I automatically override
: some of the weaker debian settings within minutes
: of doing an apt-get or dselect upgrade.
:
: When you have multiple people, working over long
: periods of time (years), with varying stress
: conditions, there will at some point be mistakes
: made. That's why defense in depth is so important.
: The more layers of protection you can place the
: more likely a single mistake won't leave you
: wide open.
:
: --
: ------------------------------------------------------
:        IN MY NAME:            Dale Amon, CEO/MD
:   No Mushroom clouds over     Islandone Society
:     London and New York.      www.islandone.org
: ------------------------------------------------------

- -- 

________________________________
Eagles may soar, but weasles don't get sucked into jet engines
________________________________
Jan Eringa
Unix Admin
________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE+bKhPX4LWCZ7JjaMRAttSAKDAthz7wVI2cbRb8+VbPfNy7Q2d1ACfbIoD
AlgCVtVn0J4Tx8SmnRhd3Ks=
=4/2c
-----END PGP SIGNATURE-----

Reply to:

References:
- Permissions on /root/
  - From: Birzan George Cristian <ymir@wolfheart.ro>
- Re: Permissions on /root/
  - From: Birzan George Cristian <ymir@wolfheart.ro>
- Re: Permissions on /root/
  - From: Dale Amon <amon@vnl.com>

Prev by Date: Re: Apache user pages (was: Re: Permissions on /root/)
Next by Date: Re: Apache user pages (was: Re: Permissions on /root/)
Previous by thread: Re: Permissions on /root/
Next by thread: Re: Permissions on /root/
Index(es):
- Date
- Thread