any reason for world readable files?

[Red Squirrel]

I noticed by default lot of configuration files such as DNS zones are world readable (not writable). Is there a reason for this, or would I be safe to put them to 770 (owned by app:app) where app is the user/group of the application in question, so like in the case of DNS it would be named:named. Then if I want to give another user such as myself access I can just add to named group.

Also am I safe to chmod 700 most binaries? (like telnet, ssh, ping,g++ etc) If I give someone access to my server I want them to have very limited commands.

Am I on the right track or should I just leave it?
Just looking to lock down everything possible.

 

[degibson]

You can hang yourself pretty easily by chmod'ing the wrong binaries. Certain system users (e.g. sys) might be affected, depending on your distro. Proceed with caution.

 

[Red Squirrel]

Thats good to know, guess I should maybe not play with it. Is there a list somewhere by any chance that shows which binaries it would be safe to do this to?

My guess is stuff like g++, ssh, ping would be safe, but there may be others that are called up by other programs. What I'd like to do is setup su and sudo in a way that only 1 user can actually use it. That would be trickier though, guess i can make it owned by a certain group then just put my account in that group and chmod it 760.

 

[QED]

If you are really paranoid about security, a better option than blindly changing file permissions everywhere is to set up a "chroot" jail for your users and insecure applications (such as Apache, sendmail, etc).

More info on setting up a chroot jail is here:
http://www.cyberciti.biz/tips/...chroot-jail-setup.html

Essentially, every user is setup with their own miniature version of the Linux filesystem--out of which they cannot escape. Hence, they cannot access files outside of their own directory, and the only binaries they can execute are the ones you explicitly place in their jail for them.

 

[Red Squirrel]

Hmm that could work, I'll have to read up on it.

 

[Nothinman]

What I'd like to do is setup su and sudo in a way that only 1 user can actually use it. That would be trickier though, guess i can make it owned by a certain group then just put my account in that group and chmod it 760.

su and sudo can both be setup to only allow users in certain groups to use them without any messing with permissions, I even believe sudo is like that by default. Technically people will still be able to run the binary so if an exploit in the early parts of the code is found that might be an issue but that's going to be an issue with most setuid things on a system.

 

[Brazen]

Originally posted by: Nothinman

What I'd like to do is setup su and sudo in a way that only 1 user can actually use it. That would be trickier though, guess i can make it owned by a certain group then just put my account in that group and chmod it 760.

su and sudo can both be setup to only allow users in certain groups to use them without any messing with permissions, I even believe sudo is like that by default. Technically people will still be able to run the binary so if an exploit in the early parts of the code is found that might be an issue but that's going to be an issue with most setuid things on a system.

But sudo only deals with running programs with root privileges. I get the impression that RedSquirrel even wants to limit what users run even with user privileges. Sudo and the sudoers file (editable with 'visudo') is what you want if you want to limit root-level access, but a chroot jail is probably what you want to restrict everything that users have access to and only allow what is included int he chroot.

 

[Nothinman]

But sudo only deals with running programs with root privileges. I get the impression that RedSquirrel even wants to limit what users run even with user privileges.

Yea and that's a pretty pointless goal. If someone with shell access really wants local root access they will eventually get it unless you do something extreme like a solid SELinux policy.

but a chroot jail is probably what you want to restrict everything that users have access to and only allow what is included int he chroot.

It's also possible to break out of a chroot once you have root access, if you really want to reliably restrict them then don't give them an account.

 

[Chiropteran]

Originally posted by: Nothinman

But sudo only deals with running programs with root privileges. I get the impression that RedSquirrel even wants to limit what users run even with user privileges.

Yea and that's a pretty pointless goal. If someone with shell access really wants local root access they will eventually get it unless you do something extreme like a solid SELinux policy.

Huh? Are you saying there are unpatched exploits on every unix system to allow arbitrary users root access?

 

[Nothinman]

Huh? Are you saying there are unpatched exploits on every unix system to allow arbitrary users root access?

Sure. There will always be bugs and some of them will allow privilege escalation, it just depends on who finds them first.

 

[degibson]

Originally posted by: Nothinman

Huh? Are you saying there are unpatched exploits on every unix system to allow arbitrary users root access?

Sure. There will always be bugs and some of them will allow privilege escalation, it just depends on who finds them first.

I agree. It is only a matter of time -- that many LOCs will never be 'correct'.

Edit: Stupid similicons...