From owner-freebsd-security@FreeBSD.ORG  Fri Sep  5 12:16:37 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8191D16A4BF
	for <freebsd-security@freebsd.org>;
	Fri,  5 Sep 2003 12:16:37 -0700 (PDT)
Received: from smtp808.mail.sc5.yahoo.com (smtp808.mail.sc5.yahoo.com
	[66.163.168.187])
	by mx1.FreeBSD.org (Postfix) with SMTP id C823044005
	for <freebsd-security@freebsd.org>;
	Fri,  5 Sep 2003 12:16:36 -0700 (PDT)
	(envelope-from fscked@pacbell.net)
Received: from adsl-63-196-6-33.dsl.snfc21.pacbell.net (HELO pacbell.net)
	(fscked@pacbell.net@63.196.6.33 with plain)
	by smtp-sbc-v1.mail.vip.sc5.yahoo.com with SMTP;
	5 Sep 2003 19:16:36 -0000
Message-ID: <3F58E113.10509@pacbell.net>
Date: Fri, 05 Sep 2003 12:16:35 -0700
From: richard childers / kg6hac <fscked@pacbell.net>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US;
	rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <20030905190045.7F07916A4DA@hub.freebsd.org>
In-Reply-To: <20030905190045.7F07916A4DA@hub.freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: re: world read permissions on system level files
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2003 19:16:37 -0000

From: "Biyala, Urvi" <Urvi.Biyala@bankofamerica.com>

>I need to trim the world read permissions from the system sensitive files. I know that it would be safe to trim the permissions from many of the configuration files in /etc. But I was not sure if I could safely tighten the permissions form other system files. Does any one know of any documentation on this. Or can any one tell me if it is safe to trim world read permissions from the system files.
>

This needs to be done on a application-by-application, file-by-file basis.

There are a spectrum of possibilities.

For instance, there is no need for files read during boot to be 
world-readable; it is the root that is carrying out all of the 
operations, starting the system.

At the other end of the spectrum, if you disable world-readability from 
/etc/passwd, your shell cannot determine its home directory, and 
problems will ensue.

If this is consequent to BofA's layoff and replacement of their entire 
IT infrastructure, I would definitely recommend something along the 
following lines:

    find /etc -type f -exec chmod 0000 {} \;

This will maximize security, at the expense of some inconvenience.


Drily,


-- richard

Richard Childers / (415) 759-5571
Senior Engineer / Daemonized Networking Services
https://www.daemonized.com