Re: Newbie administrator - chmod

To: debian-user@lists.debian.org
Subject: Re: Newbie administrator - chmod
From: Dave Sherohman <esper@sherohman.org>
Date: Thu, 27 Feb 2003 13:18:56 -0600
Message-id: <[🔎] 20030227191856.GA12292@sherohman.org>
Mail-followup-to: Dave Sherohman <esper@sherohman.org>, debian-user@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.3.96.1030227101758.18426A-100000@Maggie.Linux-Consulting.com>
References: <[🔎] 20030227172157.GF7823@sherohman.org> <[🔎] Pine.LNX.3.96.1030227101758.18426A-100000@Maggie.Linux-Consulting.com>

On Thu, Feb 27, 2003 at 10:27:39AM -0800, Alvin Oga wrote:
> > little detail that, in order to get them to do anything harmful, you
> > need root privileges.  And once an attacker is root, the 750
> > permissions won't stop him anyhow.  It only protects against people
> > who can't do any harm in the first place.
> 
> you're assuming outside attackers .

No, I'm not.  Legitimate users cannot use, say, ifconfig to change
the machine's IP address without first obtaining root privileges.

> i'm simply trying to prevent users from screwing up the lan and network
> and machines rendering it useless due to silly "admin mistakes" 
> 	- i dont like the 8am phone calls that foo server is dead
> 	or any of such phone calls ... "newbie admin mistakes" are 100%
> 	avoidable or more likely, "everybody" wants to make their stuff
> 	work and in the process break somebody else's stuff

Please provide an example of such a mistake which can be made by a
local non-root user by misuse of something in /sbin or /usr/sbin.

> 	-- "chmod -R 700 /home/*" as initially posted  is one of those
> 	that will have that dude fired   if they went around
> 	network security on a production network and made such ridiculous
> 	changes

Oh, absolutely.  But you're only going to screw yourself if you're
not root when you do it and, if you are root, making chmod owned by
root.root with 750 permissions won't matter anyhow because, well,
you're root.  You own it, so you get the rwx.  And if it's owned by
someone else, you're superuser, so you can change it.  (NFS exports
with squash_root excepted, of course, but if you're root, you can get
around that by suing to the owner's UID.)

The only thing you've suggested that I disagree with is the making
/sbin and /usr/sbin chmod 750 will provide a meaningful boost to
security and the reason I disagree is that the only people this will
keep out (non-root users) are people that can't use the contents of
those directories to do any harm in the first place.  Regardless of
whether they're internal or external, legitimate users or crackers,
careless newbies or malicious experts, they'll need root privs to
damage the system and, if they do have the root privs, chmod 750
won't have any effect on them.

-- 
The freedoms that we enjoy presently are the most important victories of the
White Hats over the past several millennia, and it is vitally important that
we don't give them up now, only because we are frightened.
  - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html)

Reply to:

References:
- Re: Newbie administrator
  - From: Dave Sherohman <esper@sherohman.org>
- Re: Newbie administrator - chmod
  - From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>

Prev by Date: Re: How to redo mp3's
Next by Date: apt-file question
Previous by thread: Re: Newbie administrator - chmod
Next by thread: Re: Newbie administrator
Index(es):
- Date
- Thread