On Tuesday, 06.02.2007 at 12:45 +0100, Jarek Buczyński wrote: > > You can change the permissions for home directories so that users > > cannot see each others; you can also change the permissions for > > /root so that it is invisible to non-root users (chmod 700 ...) > > OK. I've done this. But at /root/ catalog I have some scripts, this > scripts have symbolic links to /etc/networks/ip-up.d. Will this > scripts start when I'll rebbot server? Don't rely on anything in /root to boot the server; having said that, anything which is running as user root at startup will see into /root fine. > > Also, check /etc/adduser.conf to change the default permissions that > > new homes are created with. > > Default is DIR_MODE=0755, is it good change this to DIR_MODE=0700? Yes, and that will work so long as you use 'adduser' to add users. > > However, I'd strongly advise against trying to restrict access to > > /etc - this will break lots of things! > > So, I didn't tuch permision /etc, why this is dangerous? Can some > daemons have problem with normal working? Files in /etc are designed to be readable to all processes, including user processes. For example, /etc/resolv.conf for looking up hosts, /etc/passwd for user details and so on. Anything which explicitly needs to be hidden from normal users can have appropriate permissions set, e.g. /etc/shadow is normally only readable by root. > > What are you actually trying to achieve? Or, to take another view, > > what exactly are you trying to prevent and why? > > I'd like my users don't access to some file for example /etc/*, they > shouldn't see apache, bind, ftp etc config file. I think it's good > practice, probably :) There shouldn't be anything readable under /etc which constitutes a security risk. If you really don't trust your users, don't give them access in the first place :-) Dave. -- Please don't CC me on list messages! ... Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature