[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: SSH accounts - basic restriction

> > Files in /etc are designed to be readable to all processes, 
> including
> > user processes.  For example, /etc/resolv.conf for looking up hosts,
> > /etc/passwd for user details and so on.  Anything which 
> explicitly needs
> > to be hidden from normal users can have appropriate permissions set,
> > e.g. /etc/shadow is normally only readable by root.
> Below is default debian permission for selected files and catalogs:
> drwxr-xr-x   8 root   root     4096 2007-02-05 01:46 apache2
> drwxr-sr-x   2 root   bind     4096 2007-02-05 01:48 bind
> -rw-r--r--   1 root   root      677 2006-11-07 03:14 hosts.allow
> -rw-r--r--   1 root   root      901 2006-11-07 03:14 hosts.deny
> -rw-r--r--   1 root   root     1033 2007-02-05 01:48 passwd
> drwxr-xr-x   2 root   root     4096 2006-11-07 02:38 ssh
> drwxr-xr-x   7 root   root     4096 2006-11-07 03:14 network
> If change permission 
> chmod o-rwx 
> will system work correctly?

Apache2: Apache2 starts up as root, and then changes to the 
user and group specified in the config files (default is 
www-data:www-data).  So, if you change the group owner of 
apache2 to www-data (and all the files therein), and remove 
world access (chmod o-rwx), apache should still work.  No 
guarantees, though.

Bind:  I believe the same holds true for bind, but it's been 
a long time since I've used it (I use PowerDNS now).

Hosts.allow, hosts.deny: Not sure about those.  

Passwd:  This needs to be readable by everyone.  Despite the name, 
there isn't any actual password information in there (it's in 
/etc/shadow).  But any process that needs to look up user information 
will need access.  Even doing a simple "ls" command needs access.

Ssh:  ssh runs as root, removing world access is probably fine.

Network:  It's probably okay to remove world access.

Hope this helps!
-- Kevin

Reply to: