Date: Thu, 17 Dec 1998 01:15:23 -0500 (EST) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: grog@lemis.com (Greg Lehey) Cc: mikey@iexpress.net.au, freebsd-questions@FreeBSD.ORG Subject: Re: Basic Security Question Message-ID: <199812170615.BAA15617@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <19981217140544.Z486@freebie.lemis.com> from Greg Lehey at "Dec 17, 98 02:05:44 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Greg Lehey wrote, > On Thursday, 17 December 1998 at 11:11:14 +0800, Michael Slater wrote: > > Hello, > > This might seem like a pretty basic question to most on this list but > > here goes.. My boss, a non UNIX person, has directed me to make the /etc > > directory readable only by root.. He ignores my argument that this is > > not a good thing and claims that FreeBSD must be very insecure if this is > > the case. Can someone explain in simple terms what the permissions should > > be for the /etc directory, and why it is not a good idea to make it > > readable only by root. His assumption is that a "good" comerical grade > > system such as Solaris, or BSDI would never allow this.. > > Interesting question. In fact, there isn't much in /etc that needs to > be user-readable. *eep!!!* Now, Greg... I really respect you... but stop and think besides some very important ones you pointed out... /etc/profile /etc/csh.cshrc /etc/hosts /etc/motd . . . Think of the number of executables that run without a setuid that have a /etc/<something> file that does some configurations. There are some steps you should take in securing the /etc directory. Actually, a very good primer on /etc security is in Costales's sendmail bible in the 'Security' chapter. (_sendmail_, Costales, B. with Allman, E., and Rickert, N., O'Reilly & Associates, Inc., 1994). You can set permissions on individual files appropriately. Make sure /etc is 755 and owned by root (make sure / is 755 as well) with no sticky bits. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812170615.BAA15617>