Re: SSH accounts - basic restriction

To: debian-user@lists.debian.org
Subject: Re: SSH accounts - basic restriction
From: Dave Ewart <davee@sungate.co.uk>
Date: Tue, 6 Feb 2007 13:46:34 +0000
Message-id: <[🔎] 20070206134634.GB6622@sungate.co.uk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 00ee01c749e4$5eb8f7e0$aa00000a@home.pol>
References: <[🔎] 20070206105004.GA6622@sungate.co.uk> <[🔎] 00ee01c749e4$5eb8f7e0$aa00000a@home.pol>

On Tuesday, 06.02.2007 at 12:45 +0100, Jarek Buczyński wrote:

> > You can change the permissions for home directories so that users
> > cannot see each others; you can also change the permissions for
> > /root so that it is invisible to non-root users (chmod 700 ...)
> 
> OK. I've done this. But at /root/ catalog I have some scripts, this
> scripts have symbolic links to /etc/networks/ip-up.d. Will this
> scripts start when I'll rebbot server? 

Don't rely on anything in /root to boot the server; having said that,
anything which is running as user root at startup will see into /root
fine.

> > Also, check /etc/adduser.conf to change the default permissions that
> > new homes are created with.
> 
> Default is DIR_MODE=0755, is it good change this to DIR_MODE=0700?

Yes, and that will work so long as you use 'adduser' to add users.

> > However, I'd strongly advise against trying to restrict access to
> > /etc - this will break lots of things!
> 
> So, I didn't tuch permision /etc, why this is dangerous? Can some
> daemons have problem with normal working?

Files in /etc are designed to be readable to all processes, including
user processes.  For example, /etc/resolv.conf for looking up hosts,
/etc/passwd for user details and so on.  Anything which explicitly needs
to be hidden from normal users can have appropriate permissions set,
e.g. /etc/shadow is normally only readable by root.

> > What are you actually trying to achieve?  Or, to take another view,
> > what exactly are you trying to prevent and why?
> 
> I'd like my users don't access to some file for example /etc/*, they
> shouldn't see apache, bind, ftp etc config file. I think it's good
> practice, probably :)

There shouldn't be anything readable under /etc which constitutes a
security risk.  If you really don't trust your users, don't give them
access in the first place :-)

Dave.
-- 
Please don't CC me on list messages!
...
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- RE: SSH accounts - basic restriction
  - From: Jarek Buczyński <jaro80@gmail.com>

References:
- Re: SSH accounts - basic restriction
  - From: Dave Ewart <davee@sungate.co.uk>
- RE: SSH accounts - basic restriction
  - From: Jarek Buczyński <jaro80@gmail.com>

Prev by Date: Re: SSH accounts - basic restriction
Next by Date: Re: Etch hangs on boot after printer installation
Previous by thread: Re: SSH accounts - basic restriction
Next by thread: RE: SSH accounts - basic restriction
Index(es):
- Date
- Thread