Subject: Re: permissions & rc.conf
To: None <>
From: Jan Danielsson <>
List: netbsd-users
Date: 08/23/2005 15:46:29
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Geert Hendrickx wrote:
>>>   I would like to store some sensitive information in rc.conf (login
>>>information) which should not be readable by anyone but root:wheel. I
>>>noticed that rc.conf has rx set for everyone. Is this required, or can I
>>>clear them without breaking something?
>>Try & see. ;-)
>>As an alternative, you can put the config for yourservice into 
>>/etc/rc.onf.d/myservice, and chmod that mode 700.
> Make that /etc/rc.conf/d/myservice and it might work. ;-)  
> As an alternative, since rc.conf is parsed as a shell script, you could
> make it include other files with stricter permissions, and keep your
> rc.conf permissions as they were.  
> But actually I think you can safely lower the permissions of rc.conf
> itself, as only init should be able to read it (correct me if I'm wrong?).  
> Try it and tell us. :-)  

"Better living through reckless experimentation". :-)

   Although the "Hmm.. I wonder what happens if .."-philisophy does
normally appeal to me, I'm too new to NetBSD to know that I can recover
it, should it give me a cryptic message during boot. I'll try to play it
safe for a few more days...

Via email, I got the tip to add:

if [ -r /etc/rc.private ] ; then
  . /etc/rc.private
fi rc.conf, and to to protect rc.private with proper permissions.
(Which is essentially the tip you just gave, so: Thanks! :-)

   On a more security related note: Why is it that most files in /etc
are readable by everyone by default? Files like rc.conf are only of
interrest to init/root, right? If so, why aren't they more restricted by

Kind Regards,
Jan Danielsson
Te audire no possum. Musa sapientum fixa est in aure.

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.2 (MingW32)