RE: SSH accounts - basic restriction
- From: "Kevin Ross" <kross@xxxxxxxxxxxx>
- Date: Tue, 6 Feb 2007 11:20:48 -0800
Files in /etc are designed to be readable to all processes,including
user processes. For example, /etc/resolv.conf for looking up hosts,explicitly needs
/etc/passwd for user details and so on. Anything which
to be hidden from normal users can have appropriate permissions set,
e.g. /etc/shadow is normally only readable by root.
Below is default debian permission for selected files and catalogs:
drwxr-xr-x 8 root root 4096 2007-02-05 01:46 apache2
drwxr-sr-x 2 root bind 4096 2007-02-05 01:48 bind
-rw-r--r-- 1 root root 677 2006-11-07 03:14 hosts.allow
-rw-r--r-- 1 root root 901 2006-11-07 03:14 hosts.deny
-rw-r--r-- 1 root root 1033 2007-02-05 01:48 passwd
drwxr-xr-x 2 root root 4096 2006-11-07 02:38 ssh
drwxr-xr-x 7 root root 4096 2006-11-07 03:14 network
If change permission
will system work correctly?
Apache2: Apache2 starts up as root, and then changes to the
user and group specified in the config files (default is
www-data:www-data). So, if you change the group owner of
apache2 to www-data (and all the files therein), and remove
world access (chmod o-rwx), apache should still work. No
Bind: I believe the same holds true for bind, but it's been
a long time since I've used it (I use PowerDNS now).
Hosts.allow, hosts.deny: Not sure about those.
Passwd: This needs to be readable by everyone. Despite the name,
there isn't any actual password information in there (it's in
/etc/shadow). But any process that needs to look up user information
will need access. Even doing a simple "ls" command needs access.
Ssh: ssh runs as root, removing world access is probably fine.
Network: It's probably okay to remove world access.
Hope this helps!
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
- Prev by Date: Re: Kernel 2.6.17
- Next by Date: Re: Revive dark photos -- Debian gimp packaging question
- Previous by thread: RE: SSH accounts - basic restriction
- Next by thread: Re: SSH accounts - basic restriction