Re: Filesystem permissions
Noah Meyerhans <[EMAIL PROTECTED]> writes: > Why do you want to? If nobody can read /proc then they can't run things > like 'ps'. That's not a good thing. /etc is a similar case. Depending on > your installation, it's quite likely that there are things in /etc that > *need* to be readable by a normal user. Correct ;) I can think of `/etc/passwd' straight OTTOMH - a humble ls will confuse all the users who can't see their own username straight. If the OP wants to persist in this, he'll have to consider system daemons as well; your MTA & MDA probably take a walk through /etc/ as user `mail', maybe... Woops :) ~Tim -- Clouds cross the black moonlight, |[EMAIL PROTECTED] Rushing on down to the sound|http://spodzone.org.uk/ of a turning world |
Re: Filesystem permissions
Noah Meyerhans <[EMAIL PROTECTED]> writes: > Why do you want to? If nobody can read /proc then they can't run things > like 'ps'. That's not a good thing. /etc is a similar case. Depending on > your installation, it's quite likely that there are things in /etc that > *need* to be readable by a normal user. Correct ;) I can think of `/etc/passwd' straight OTTOMH - a humble ls will confuse all the users who can't see their own username straight. If the OP wants to persist in this, he'll have to consider system daemons as well; your MTA & MDA probably take a walk through /etc/ as user `mail', maybe... Woops :) ~Tim -- Clouds cross the black moonlight, |[EMAIL PROTECTED] Rushing on down to the sound|http://spodzone.org.uk/ of a turning world | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Filesystem permissions
Hello, IMOH, This is really not a good idea. For example, process like X or mysql will need write acces to /tmp. Also, user processes could need to have access to directory like /var/spool/mail (any MUA for example). Apache and man need access to the /var/cache directory. Some processes need access to /var/run (apache, proftpd,...). For a matter of security, deamon that need access to /tmp /var, ... do not always run as root. Furthermore, I don't see what is the benefit of a such restriction. On Fri, 15 Jun 2001, Noah Meyerhans wrote: > On Fri, Jun 15, 2001 at 02:16:21PM -0600, Stefan Srdic wrote: > > > > For example, could I mount /proc, /var and /tmp so that only root can > > r/w to those filesystem? Also, how could I implement the same thing but > > to the /etc directory and subdirectories? > > > > Why do you want to? If nobody can read /proc then they can't run things > like 'ps'. That's not a good thing. /etc is a similar case. Depending > on your installation, it's quite likely that there are things in /etc > that *need* to be readable by a normal user. > > Have you got something specific that you want to hide from your users? > Do you really distrust them that much? I have had accounts on numerous > "public" systems, included, for example, shell servers run by ISPs. Not > once have I ever seen one that restricted read access to /proc or /etc. > > noah > > -- > ___ > | Web: http://web.morgul.net/~frodo/ > | PGP Public Key: http://web.morgul.net/~frodo/mail.html > >
Re: Filesystem permissions
Hello, IMOH, This is really not a good idea. For example, process like X or mysql will need write acces to /tmp. Also, user processes could need to have access to directory like /var/spool/mail (any MUA for example). Apache and man need access to the /var/cache directory. Some processes need access to /var/run (apache, proftpd,...). For a matter of security, deamon that need access to /tmp /var, ... do not always run as root. Furthermore, I don't see what is the benefit of a such restriction. On Fri, 15 Jun 2001, Noah Meyerhans wrote: > On Fri, Jun 15, 2001 at 02:16:21PM -0600, Stefan Srdic wrote: > > > > For example, could I mount /proc, /var and /tmp so that only root can > > r/w to those filesystem? Also, how could I implement the same thing but > > to the /etc directory and subdirectories? > > > > Why do you want to? If nobody can read /proc then they can't run things > like 'ps'. That's not a good thing. /etc is a similar case. Depending > on your installation, it's quite likely that there are things in /etc > that *need* to be readable by a normal user. > > Have you got something specific that you want to hide from your users? > Do you really distrust them that much? I have had accounts on numerous > "public" systems, included, for example, shell servers run by ISPs. Not > once have I ever seen one that restricted read access to /proc or /etc. > > noah > > -- > ___ > | Web: http://web.morgul.net/~frodo/ > | PGP Public Key: http://web.morgul.net/~frodo/mail.html > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Filesystem permissions
On Fri, Jun 15, 2001 at 02:16:21PM -0600, Stefan Srdic wrote: > > For example, could I mount /proc, /var and /tmp so that only root can > r/w to those filesystem? Also, how could I implement the same thing but > to the /etc directory and subdirectories? > Why do you want to? If nobody can read /proc then they can't run things like 'ps'. That's not a good thing. /etc is a similar case. Depending on your installation, it's quite likely that there are things in /etc that *need* to be readable by a normal user. Have you got something specific that you want to hide from your users? Do you really distrust them that much? I have had accounts on numerous "public" systems, included, for example, shell servers run by ISPs. Not once have I ever seen one that restricted read access to /proc or /etc. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpZe8g5Abvwn.pgp Description: PGP signature
Filesystem permissions
Is it possible to ristrict filesystems to certain users and processes? For example, could I mount /proc, /var and /tmp so that only root can r/w to those filesystem? Also, how could I implement the same thing but to the /etc directory and subdirectories? I am running Debian 2.2 with Kernel 2.4.5. All of my partitions are Reseirfs except for the /boot partition which remains ext2. My /usr partition is mounted as ro. Stef
Re: Filesystem permissions
On Fri, Jun 15, 2001 at 02:16:21PM -0600, Stefan Srdic wrote: > > For example, could I mount /proc, /var and /tmp so that only root can > r/w to those filesystem? Also, how could I implement the same thing but > to the /etc directory and subdirectories? > Why do you want to? If nobody can read /proc then they can't run things like 'ps'. That's not a good thing. /etc is a similar case. Depending on your installation, it's quite likely that there are things in /etc that *need* to be readable by a normal user. Have you got something specific that you want to hide from your users? Do you really distrust them that much? I have had accounts on numerous "public" systems, included, for example, shell servers run by ISPs. Not once have I ever seen one that restricted read access to /proc or /etc. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html PGP signature
Filesystem permissions
Is it possible to ristrict filesystems to certain users and processes? For example, could I mount /proc, /var and /tmp so that only root can r/w to those filesystem? Also, how could I implement the same thing but to the /etc directory and subdirectories? I am running Debian 2.2 with Kernel 2.4.5. All of my partitions are Reseirfs except for the /boot partition which remains ext2. My /usr partition is mounted as ro. Stef -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
