Date: Thu, 07 Jan 2010 16:22:05 -0500 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: APseudoUtopia <apseudoutopia@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Security Hardening: Removing Permissions; Suggestions Message-ID: <44fx6hhapu.fsf@be-well.ilk.org> In-Reply-To: <27ade5281001071109m66eb5f83j6042ba5a19c3b443@mail.gmail.com> (apseudoutopia@gmail.com's message of "Thu, 7 Jan 2010 14:09:29 -0500") References: <27ade5281001071109m66eb5f83j6042ba5a19c3b443@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
APseudoUtopia <apseudoutopia@gmail.com> writes: > Hey list, > > I'm working on a shell script that basically removes the group and the > other permissions from certain files to harden my system. Right now, > the only files I'm doing this on is the GCC compiler collection. I'm > asking for suggestions on other files that these permissions can be > removed from in order to help further secure the system (a headless db > and web server). > > $CHMOD o=,g= /usr/bin/cc > $CHMOD o=,g= /usr/bin/cpp > $CHMOD o=,g= /usr/bin/gcov > $CHMOD o=,g= /usr/bin/ld > $CHMOD o=,g= /usr/bin/gdb > $CHMOD o=,g= /usr/bin/c++ This kind of approach hardly ever makes sense any more. Unless you've got a really good reason, putting the daemons and untrusted users into jails (not even necessarily the same jails) is almost certainly going to give you all the advantages you could get out of blocking off applications one at a time. The jails don't need compilers in the first place. Disabling the compiler is pretty much useless if the web server's users are going to be allowed to copy their own files onto the machine anyway. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44fx6hhapu.fsf>