From owner-freebsd-security Thu Dec 13 9:37:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-66-67-16-161.stny.rr.com [66.67.16.161]) by hub.freebsd.org (Postfix) with ESMTP id A822437B41A for ; Thu, 13 Dec 2001 09:37:45 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.6/8.11.4) with ESMTP id fBDHaI149300; Thu, 13 Dec 2001 12:36:18 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Thu, 13 Dec 2001 12:36:18 -0500 (EST) From: Matt Piechota To: Haikal Saadh Cc: Subject: Re: /etc/permissions In-Reply-To: <001701c183f7$da9170d0$69c801ca@warhawk> Message-ID: <20011213123158.R49226-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 13 Dec 2001, Haikal Saadh wrote: > I just ran tiger on a 4.4R box today, and it mentioned that most the > files in /etc have perms that shouldn't be there...likewise, auscert's > unix security checklist recommended removing world read perms from quite > a few files. Have the permissions been overlooked, or is there some > design issue that I've missed out on? Common sense dictates that the > files in /etc/ should only be root accessible, right? Not really. If I run 'ls -l', ls needs to be able to read passwd to match the uid's on the inode to a username. If I can't read the file normally, ls (running as me) won't be able to either. I'd imagine there some things that could go without people being able to read them, but to me that's just security by obscurity, and doesn't really buy much. Except making it harder to do system maintenance without being logged in as root. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message