From owner-freebsd-questions Wed Dec 16 22:15:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA10340 for freebsd-questions-outgoing; Wed, 16 Dec 1998 22:15:37 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA10331 for ; Wed, 16 Dec 1998 22:15:35 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.8.8/8.8.8) id BAA15617; Thu, 17 Dec 1998 01:15:23 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199812170615.BAA15617@cc942873-a.ewndsr1.nj.home.com> Subject: Re: Basic Security Question In-Reply-To: <19981217140544.Z486@freebie.lemis.com> from Greg Lehey at "Dec 17, 98 02:05:44 pm" To: grog@lemis.com (Greg Lehey) Date: Thu, 17 Dec 1998 01:15:23 -0500 (EST) Cc: mikey@iexpress.net.au, freebsd-questions@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Greg Lehey wrote, > On Thursday, 17 December 1998 at 11:11:14 +0800, Michael Slater wrote: > > Hello, > > This might seem like a pretty basic question to most on this list but > > here goes.. My boss, a non UNIX person, has directed me to make the /etc > > directory readable only by root.. He ignores my argument that this is > > not a good thing and claims that FreeBSD must be very insecure if this is > > the case. Can someone explain in simple terms what the permissions should > > be for the /etc directory, and why it is not a good idea to make it > > readable only by root. His assumption is that a "good" comerical grade > > system such as Solaris, or BSDI would never allow this.. > > Interesting question. In fact, there isn't much in /etc that needs to > be user-readable. *eep!!!* Now, Greg... I really respect you... but stop and think besides some very important ones you pointed out... /etc/profile /etc/csh.cshrc /etc/hosts /etc/motd . . . Think of the number of executables that run without a setuid that have a /etc/ file that does some configurations. There are some steps you should take in securing the /etc directory. Actually, a very good primer on /etc security is in Costales's sendmail bible in the 'Security' chapter. (_sendmail_, Costales, B. with Allman, E., and Rickert, N., O'Reilly & Associates, Inc., 1994). You can set permissions on individual files appropriately. Make sure /etc is 755 and owned by root (make sure / is 755 as well) with no sticky bits. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message