Security Hardening: Removing Permissions; Suggestions

Lowell Gilbert freebsd-questions-local at
Thu Jan 7 21:22:07 UTC 2010

APseudoUtopia <apseudoutopia at> writes:

> Hey list,
> I'm working on a shell script that basically removes the group and the
> other permissions from certain files to harden my system. Right now,
> the only files I'm doing this on is the GCC compiler collection. I'm
> asking for suggestions on other files that these permissions can be
> removed from in order to help further secure the system (a headless db
> and web server).
> $CHMOD o=,g= /usr/bin/cc
> $CHMOD o=,g= /usr/bin/cpp
> $CHMOD o=,g= /usr/bin/gcov
> $CHMOD o=,g= /usr/bin/ld
> $CHMOD o=,g= /usr/bin/gdb
> $CHMOD o=,g= /usr/bin/c++

This kind of approach hardly ever makes sense any more.  Unless you've
got a really good reason, putting the daemons and untrusted users into
jails (not even necessarily the same jails) is almost certainly going to
give you all the advantages you could get out of blocking off
applications one at a time.  The jails don't need compilers in the first
place.  Disabling the compiler is pretty much useless if the web
server's users are going to be allowed to copy their own files onto the
machine anyway.

Lowell Gilbert, embedded/networking software engineer, Boston area

More information about the freebsd-questions mailing list