Thanks for all the replies. This has given me much needed ammunition to plead for more sanity in security decisions.
Regards On 27 June 2012 11:22, Ed Greshko <ed.gres...@greshko.com> wrote: > On 06/27/2012 06:09 PM, Gerhardus Geldenhuis wrote: > > My current company wants to change the permissions of /etc/group to 640 > based on a > > Qualys scan that is complaining about it. > > > > I think it is security through obscurity. If someone has enough access > to be > > browsing around files then you already have problems excluding the other > methods of > > obtaining similar information. > > > > I am keen to hear other people's opinions about this. > > It would "break" things from the point of view that users would not be > able to > reference groups by group names. It may also break things such as when > using > applications such as "wireshark" which grants rights based on an user > being in the > "wireshark" group. Since the user's process can't access the group file > it is likely > that it will be unable to determine the user's status in the group. > > Then, users will see something like this.... > > Last login: Wed Jun 27 10:59:37 2012 from meimei.greshko.com > id: cannot find name for group ID 1001 > [egreshko@f17 ~]$ ll > total 48 > drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 11:36 Desktop > drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 12:05 Documents > drwxr-xr-x. 3 egreshko 1001 4096 Jun 24 08:53 Downloads > drwxr-xr-x. 157 egreshko 1001 8192 Jun 24 14:28 misty > drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 11:29 Music > drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 11:29 Pictures > drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 11:29 Public > drwxrwxr-x. 8 egreshko 1001 4096 Jun 18 13:11 rpm > drwxr-xr-x. 2 egreshko 1001 4096 Jun 17 11:29 Templates > drwxr-xr-x. 2 egreshko 1001 4096 Jun 22 08:57 Videos > > The chgrp command will also be rendered useless..... > > And this is probably just a short list.... :-) > > _______________________________________________ > rhelv5-list mailing list > rhelv5-list@redhat.com > https://www.redhat.com/mailman/listinfo/rhelv5-list > -- Gerhardus Geldenhuis
_______________________________________________ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
