Re: security thing
- From: jayjwa@xxxxxxxxxxx
- Date: Wed, 11 Oct 2006 01:26:38 -0000
- There is no reason, why an ordinary user should be able to see and
possibly change system directories and configuration files.
Change, no. Read, yes. Think when you run an application. Where does
it get its configuration from? Yes, some apps have per-user defaults,
but many don't, and many shouldn't. For example, suppose the sysadmin
wants everyone that uses an app to read from /var/spool/queue-xyz
instead of /var/spool/default-queue (just an example)? Data needs to
be translated, for instance to get human-readable names from the
passwd file so you see names and not numbers. Shell behaviors, time
settings, file saving places, these all need to be read. There is
nothing wrong with reading from the /etc directory, if that's where
you've set up for this purpose.
If you're working with a distro you are limited, but if reading /etc/
bugs you and you are compiling your own linux, then maybe make /etc
root-only and use /usr/etc for user-level configs.
- There is no reason, why users data files should be readable to the
group or world if she doesn't herself set them so.
There are a few cases where others need to read into your
directory. One is running Apache or other webserver that runs as for
example 'nobody' and wants to run stuff, such as in
~/public_html/. Remove read access and the user's web pages become
inaccessible. Also, although many people no long use them, finger
daemons work the same way.
Set user's home directories mode 0711. This forbids listing their
contents to see what they contain, but it does allow reading a file
you already know the name of. If the user doesn't want that file read
he should chmod 600 it. If all files should be similar, consider tightening
the umask values. Or, start with chmod -R g-rwx,o-rwx ~/ and then set
specific files you do want readable. There are many solutions.
So,
ls ~/ works,
ls /home/someone-else, doesn't, but
cat /home/someone-else/public_html/index.html does.
I find that setting a proper umask, proper use of 'chmod' and
thoughtful system setup and administering are enough, but if not, linux
has ACL's which provide very fine-grain control of files and such
(probably more than most people want). See http://acl.bestbits.at/ and
look at the getfacl and setfacl commands.(Note you need kernel support,
the user-land tools, and the partition where the ACL-enabled files will
be to be mounted with the acl option set.)
You're (the OP) probably new to linux. I think there is a point in
every new linux'ers experience with OS that he questions the basic
security of, especially if he is coming from an OS where adware,
spyware, viruses, rogue scripts, evil websites, browser exploits,
and worms where a constant threat and a daily worry (eg, Windows).
The more you learn about linux and what it has to offer, the more
confident you'll likely become in its security design. And if you
don't, well, this is linux: you can change it, modify it, do what
you like with it. The new kernels allow you to select different
security modules, and then there's things like SElinux.
Somebody said there is no virus for Linux.
There certainly are, a decent number. You can find both their source
and binaries by Google. They don't do so well nor have any where near
the same impact on the system as in MS Windows due to several points:
1. linux was designed as a multi-user system, based on unix, where
security was needed from day one, not tacked on to what started as a
single user disk operating system as an after thought.
2. linux doesn't allow users to write to binary/executable system
files, something that really hurts virus propagation. Areas of the
file system that contain executable data can be made read-only and
writable areas can be marked no-exec.
3. linux was designed to serve the user, not second-guess him by
auto-running things nor the OS enabling parts of itself. Thus you
won't have your linux news reader executing Perl scripts by default
nor your linux pdf reader trying to connect to and talk with the
Internet.
4. although we say "linux", there are really alot of "linux": a Solaris
is way different than a Debian, or a RedHat, or a Slackware or those
from each other. Then consider linux runs on my platforms and
different processors. Viruses need to know (be programmed for) the
layout of their host, or be limited to only one host they do know.
What is anyway the difference between a modern virus and manual attack
against your walls - both try to take hold of your property. )
A virus is a fully-automated self-replicating computer program or
segment of code, a manual attack has a human sitting behind it and
thus is much more formidable, as it possesses the ability to think,
reason, and react to your actions.
--
One of these kids is not like the other; Three of
these kids are kinda the same; Can you guess which
kid is doing his own thing? Now it's time to play
our game; it's time to play our game...
.
- Follow-Ups:
- Re: security thing
- From: John Hasler
- Re: security thing
- References:
- security thing
- From: PTM
- Re: security thing
- From: Michael Heiming
- Re: security thing
- From: PTM
- Re: security thing
- From: PTM
- security thing
- Prev by Date: Why does this work in terminal only !?
- Next by Date: Re: security thing
- Previous by thread: Re: security thing
- Next by thread: Re: security thing
- Index(es):
Relevant Pages
|
