Re: Files access rights

To: Sami Dalouche <samid@ifrance.com>
Cc: debian-user@lists.debian.org
Subject: Re: Files access rights
From: Ben Collins <bcollins@debian.org>
Date: Sat, 12 Jun 1999 23:45:39 -0400
Message-id: <[🔎] 19990612234539.B11318@lappy.djj.state.va.us>
In-reply-to: <[🔎] 19990614185042.A806@pingoo.dhis.org>; from Sami Dalouche on Mon, Jun 14, 1999 at 06:50:43PM +0200
References: <[🔎] 19990614185042.A806@pingoo.dhis.org>

On Mon, Jun 14, 1999 at 06:50:43PM +0200, Sami Dalouche wrote:
> I have just taken a look at the Debian security and found that Debian is
> NOT secure !!!
> A lot of files in /etc can be read by all users and they don't need it, so,
> it's a security hole.
> For exemple, these files :
> 
> hosts.deny	# The users shouldn't  be able to see
> hosts.allow	# these files. If they have less informations about the system
<big list>
> Why do so many maintainers give too many rights ? All these files have 
> -rw-r--r--.
> 
> If this is a Debian policy rule, you should change it.

Yes, it is a Debian policy not to set all of these files to 600. The
reason being that there is nothing to gain for a hacker to see these
files since there would have to be some other actual bug or hole in the
system in order for this information to be useful. On top of that, it
requires local access to view the files (meaning you gave them access
to your system) and lastly, security through obscurity is not security
at all.

If you don't understand the above logic please read some of the
publically available security docs on the subject.

Reply to:

References:
- Files access rights
  - From: Sami Dalouche <samid@ifrance.com>

Prev by Date: Further work on LDAP passwords (working on an ldap-adduser).
Next by Date: Re: Can I get the .deb files that I currently have installed.
Previous by thread: Files access rights
Next by thread: Re: Files access rights
Index(es):
- Date
- Thread