world read permissions on system level files

richard childers / kg6hac fscked at pacbell.net
Fri Sep 5 12:16:37 PDT 2003


From: "Biyala, Urvi" <Urvi.Biyala at bankofamerica.com>

>I need to trim the world read permissions from the system sensitive files. I know that it would be safe to trim the permissions from many of the configuration files in /etc. But I was not sure if I could safely tighten the permissions form other system files. Does any one know of any documentation on this. Or can any one tell me if it is safe to trim world read permissions from the system files.
>

This needs to be done on a application-by-application, file-by-file basis.

There are a spectrum of possibilities.

For instance, there is no need for files read during boot to be 
world-readable; it is the root that is carrying out all of the 
operations, starting the system.

At the other end of the spectrum, if you disable world-readability from 
/etc/passwd, your shell cannot determine its home directory, and 
problems will ensue.

If this is consequent to BofA's layoff and replacement of their entire 
IT infrastructure, I would definitely recommend something along the 
following lines:

    find /etc -type f -exec chmod 0000 {} \;

This will maximize security, at the expense of some inconvenience.


Drily,


-- richard

Richard Childers / (415) 759-5571
Senior Engineer / Daemonized Networking Services
https://www.daemonized.com





More information about the freebsd-security mailing list