On 06/27/2012 06:09 PM, Gerhardus Geldenhuis wrote: > My current company wants to change the permissions of /etc/group to 640 based > on a > Qualys scan that is complaining about it. > > I think it is security through obscurity. If someone has enough access to be > browsing around files then you already have problems excluding the other > methods of > obtaining similar information. > > I am keen to hear other people's opinions about this.
It would "break" things from the point of view that users would not be able to reference groups by group names. It may also break things such as when using applications such as "wireshark" which grants rights based on an user being in the "wireshark" group. Since the user's process can't access the group file it is likely that it will be unable to determine the user's status in the group. Then, users will see something like this.... Last login: Wed Jun 27 10:59:37 2012 from meimei.greshko.com id: cannot find name for group ID 1001 [egreshko@f17 ~]$ ll total 48 drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 11:36 Desktop drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 12:05 Documents drwxr-xr-x. 3 egreshko 1001 4096 Jun 24 08:53 Downloads drwxr-xr-x. 157 egreshko 1001 8192 Jun 24 14:28 misty drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 11:29 Music drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 11:29 Pictures drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 11:29 Public drwxrwxr-x. 8 egreshko 1001 4096 Jun 18 13:11 rpm drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 11:29 Templates drwxr-xr-x. 2 egreshko 1001 4096 Jun 22 08:57 Videos The chgrp command will also be rendered useless..... And this is probably just a short list.... :-) _______________________________________________ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
