Re: secure file permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 08 Dec 2003 at 03:16:05AM -0500, Domonkos Czinke wrote: > Hi, > > I recommend using the chattr program. You should set them immutable > chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow. Man chattr. Setting /etc/shadow +i would not be advisable as it renders your passwd command useless. Setting /etc/passwd +i renders your chsh and chfn commands useless. Also, if someone r00ts you and they know more then someone who started using Linux last week, they'll realize the files are +i and take the +i bit off them. I fail to see how this would make things any better on your system. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #148: endothermal recalibration -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/1MZRS3Jybf3L5MQRArVaAJ9xtUSJHqTFJ+F8MZYC5fhUKhqjIQCaApxn I6ZF1hm701F7HPyW6jNjPoo= =Nhd1 -END PGP SIGNATURE-
Re: secure file permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 08 Dec 2003 at 03:16:05AM -0500, Domonkos Czinke wrote: > Hi, > > I recommend using the chattr program. You should set them immutable > chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow. Man chattr. Setting /etc/shadow +i would not be advisable as it renders your passwd command useless. Setting /etc/passwd +i renders your chsh and chfn commands useless. Also, if someone r00ts you and they know more then someone who started using Linux last week, they'll realize the files are +i and take the +i bit off them. I fail to see how this would make things any better on your system. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #148: endothermal recalibration -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/1MZRS3Jybf3L5MQRArVaAJ9xtUSJHqTFJ+F8MZYC5fhUKhqjIQCaApxn I6ZF1hm701F7HPyW6jNjPoo= =Nhd1 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure file permissions
On Mon, 8 Dec 2003 19:16, "Domonkos Czinke" <[EMAIL PROTECTED]> wrote: > I recommend using the chattr program. You should set them immutable > chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow. Man chattr. In a stock Linux kernel the permissions required to "chattr -i" a file are exactly the same as those required to write to /etc/passwd or /etc/shadow. So what does this gain? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
RE: secure file permissions
Hi, I recommend using the chattr program. You should set them immutable chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow. Man chattr. Domonkos Czinke -Original Message- From: Lupe Christoph [mailto:[EMAIL PROTECTED] Sent: Sunday, December 07, 2003 9:56 AM To: mi Cc: debian-security@lists.debian.org Subject: Re: secure file permissions On Sunday, 2003-12-07 at 09:27:04 +0100, mi wrote: > Can you tell me what are the default permissions for /etc/group and > /etc/passwd ? > I restricted them to rw for root only, but some things like exim (and > possibly dpkg ?) seem to need read access there too. > What's recommendet ? You want to change them, so I guess you should know why. BTW, try running ls as a user when /etc/group and /etc/passwd are 600. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure file permissions
On Mon, 8 Dec 2003 19:16, "Domonkos Czinke" <[EMAIL PROTECTED]> wrote: > I recommend using the chattr program. You should set them immutable > chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow. Man chattr. In a stock Linux kernel the permissions required to "chattr -i" a file are exactly the same as those required to write to /etc/passwd or /etc/shadow. So what does this gain? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: secure file permissions
Hi, I recommend using the chattr program. You should set them immutable chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow. Man chattr. Domonkos Czinke -Original Message- From: Lupe Christoph [mailto:[EMAIL PROTECTED] Sent: Sunday, December 07, 2003 9:56 AM To: mi Cc: [EMAIL PROTECTED] Subject: Re: secure file permissions On Sunday, 2003-12-07 at 09:27:04 +0100, mi wrote: > Can you tell me what are the default permissions for /etc/group and > /etc/passwd ? > I restricted them to rw for root only, but some things like exim (and > possibly dpkg ?) seem to need read access there too. > What's recommendet ? You want to change them, so I guess you should know why. BTW, try running ls as a user when /etc/group and /etc/passwd are 600. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure file permissions
On Sun, 7 Dec 2003, mi wrote: > Can you tell me what are the default permissions for /etc/group and > /etc/passwd ? They are both 644 by default. > I restricted them to rw for root only, but some things like exim (and > possibly dpkg ?) seem to need read access there too. > What's recommendet ? > > (Debian Woody 3.0 r1) I would recommend that you do not change the default permissions for those files. That's why shadow passwords exist (look at the files /etc/shadow and /etc/gshadow).
Re: secure file permissions
On Sun, Dec 07, 2003 at 09:27:04AM +0100, mi wrote: > Hello, > > Can you tell me what are the default permissions for /etc/group and > /etc/passwd ? %--(6)--$ ls -l /etc/passwd -rw-r--r--1 root root 1276 17. Sep 22:57 /etc/passwd > > I restricted them to rw for root only, but some things like exim (and > possibly dpkg ?) seem to need read access there too. > What's recommendet ? Unless you didn't enable shadow passwords the default ought to be safe. /etc/passwd 'only' tells names and login-shells. Not really much to worry about, is it? Horst -- Join the army, see the world, meet interesting, exciting people, and kill them.
Re: secure file permissions
mi wrote: Hello, Can you tell me what are the default permissions for /etc/group and /etc/passwd ? I restricted them to rw for root only, but some things like exim (and possibly dpkg ?) seem to need read access there too. What's recommendet ? (Debian Woody 3.0 r1) $ ls -l /etc/passwd -rw-r--r--1 root root 2722 Nov 23 15:35 /etc/passwd $ same for group. Pretty much everything needs to be able to read them. There isn't any harm in having them readable either. The encrypted passwords are stored in /etc/shadow. Tim -- Tim Nicholas || Cilix Email: [EMAIL PROTECTED]||Wellington, New Zealand http://tim.nicholas.net.nz/ || Cell/SMS: +64 21 337 204
Re: secure file permissions
On Sunday, 2003-12-07 at 09:27:04 +0100, mi wrote: > Can you tell me what are the default permissions for /etc/group and > /etc/passwd ? > I restricted them to rw for root only, but some things like exim (and > possibly dpkg ?) seem to need read access there too. > What's recommendet ? You want to change them, so I guess you should know why. BTW, try running ls as a user when /etc/group and /etc/passwd are 600. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: secure file permissions
On Sun, 7 Dec 2003, mi wrote: > Can you tell me what are the default permissions for /etc/group and > /etc/passwd ? They are both 644 by default. > I restricted them to rw for root only, but some things like exim (and > possibly dpkg ?) seem to need read access there too. > What's recommendet ? > > (Debian Woody 3.0 r1) I would recommend that you do not change the default permissions for those files. That's why shadow passwords exist (look at the files /etc/shadow and /etc/gshadow). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
secure file permissions
Hello, Can you tell me what are the default permissions for /etc/group and /etc/passwd ? I restricted them to rw for root only, but some things like exim (and possibly dpkg ?) seem to need read access there too. What's recommendet ? (Debian Woody 3.0 r1) -- mi.
Re: secure file permissions
On Sun, Dec 07, 2003 at 09:27:04AM +0100, mi wrote: > Hello, > > Can you tell me what are the default permissions for /etc/group and > /etc/passwd ? %--(6)--$ ls -l /etc/passwd -rw-r--r--1 root root 1276 17. Sep 22:57 /etc/passwd > > I restricted them to rw for root only, but some things like exim (and > possibly dpkg ?) seem to need read access there too. > What's recommendet ? Unless you didn't enable shadow passwords the default ought to be safe. /etc/passwd 'only' tells names and login-shells. Not really much to worry about, is it? Horst -- Join the army, see the world, meet interesting, exciting people, and kill them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure file permissions
mi wrote: Hello, Can you tell me what are the default permissions for /etc/group and /etc/passwd ? I restricted them to rw for root only, but some things like exim (and possibly dpkg ?) seem to need read access there too. What's recommendet ? (Debian Woody 3.0 r1) $ ls -l /etc/passwd -rw-r--r--1 root root 2722 Nov 23 15:35 /etc/passwd $ same for group. Pretty much everything needs to be able to read them. There isn't any harm in having them readable either. The encrypted passwords are stored in /etc/shadow. Tim -- Tim Nicholas || Cilix Email: [EMAIL PROTECTED]||Wellington, New Zealand http://tim.nicholas.net.nz/ || Cell/SMS: +64 21 337 204 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure file permissions
On Sunday, 2003-12-07 at 09:27:04 +0100, mi wrote: > Can you tell me what are the default permissions for /etc/group and > /etc/passwd ? > I restricted them to rw for root only, but some things like exim (and > possibly dpkg ?) seem to need read access there too. > What's recommendet ? You want to change them, so I guess you should know why. BTW, try running ls as a user when /etc/group and /etc/passwd are 600. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
secure file permissions
Hello, Can you tell me what are the default permissions for /etc/group and /etc/passwd ? I restricted them to rw for root only, but some things like exim (and possibly dpkg ?) seem to need read access there too. What's recommendet ? (Debian Woody 3.0 r1) -- mi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]