RE: SSH accounts - basic restriction

Files in /etc are designed to be readable to all processes,
including
user processes. For example, /etc/resolv.conf for looking up hosts,
/etc/passwd for user details and so on. Anything which
explicitly needs
to be hidden from normal users can have appropriate permissions set,
e.g. /etc/shadow is normally only readable by root.

Below is default debian permission for selected files and catalogs:

drwxr-xr-x 8 root root 4096 2007-02-05 01:46 apache2
drwxr-sr-x 2 root bind 4096 2007-02-05 01:48 bind
-rw-r--r-- 1 root root 677 2006-11-07 03:14 hosts.allow
-rw-r--r-- 1 root root 901 2006-11-07 03:14 hosts.deny
-rw-r--r-- 1 root root 1033 2007-02-05 01:48 passwd
drwxr-xr-x 2 root root 4096 2006-11-07 02:38 ssh
drwxr-xr-x 7 root root 4096 2006-11-07 03:14 network

If change permission

chmod o-rwx

will system work correctly?

Apache2: Apache2 starts up as root, and then changes to the
user and group specified in the config files (default is
www-data:www-data). So, if you change the group owner of
apache2 to www-data (and all the files therein), and remove
world access (chmod o-rwx), apache should still work. No
guarantees, though.

Bind: I believe the same holds true for bind, but it's been
a long time since I've used it (I use PowerDNS now).

Hosts.allow, hosts.deny: Not sure about those.

Passwd: This needs to be readable by everyone. Despite the name,
there isn't any actual password information in there (it's in
/etc/shadow). But any process that needs to look up user information
will need access. Even doing a simple "ls" command needs access.

Ssh: ssh runs as root, removing world access is probably fine.

Network: It's probably okay to remove world access.

Hope this helps!
-- Kevin


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • [SLE] Dead php under Apache - how to debug what is happening ?
    ... I have plain suse 9.2 installation with Apache2 and php. ... document root to /var/www/html and php scripts don't result in any output ... sucessfuly from commandline. ... I've tried phpinfo and there is one glitch (Server Root still points to ...
    (SuSE)
  • Isolated server
    ... I have a server that is behind a firewall and is only used to run ... When a user other than ROOT tries to log on locally, ... How can I use svccfg to add the apache2 to the startup lists? ...
    (comp.unix.solaris)
  • Re: [SLE] Apache2 startup question
    ... > What's the simple, down and dirty, idiot-proof, way to get Apache2 up ... as root, rcapache start ...
    (SuSE)
  • ownersip/permissions for Aache question
    ... System is Mandrake-9.1 with Apache2(?) installed. ... it seems that it runs as root. ... What should be correct UID for httpd? ...
    (comp.os.linux.misc)