netbsd-users: Re: permissions & rc.conf

Subject: Re: permissions & rc.conf
To: None <netbsd-users@netbsd.org>
From: Jan Danielsson <jan.danielsson@gmail.com>
List: netbsd-users
Date: 08/23/2005 15:46:29
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig7937A8C5CE841E8D384427D7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Geert Hendrickx wrote:
>>>   I would like to store some sensitive information in rc.conf (login
>>>information) which should not be readable by anyone but root:wheel. I
>>>noticed that rc.conf has rx set for everyone. Is this required, or can I
>>>clear them without breaking something?
>>
>>Try & see. ;-)
>>As an alternative, you can put the config for yourservice into 
>>/etc/rc.onf.d/myservice, and chmod that mode 700.
> 
> Make that /etc/rc.conf/d/myservice and it might work. ;-)  
> 
> As an alternative, since rc.conf is parsed as a shell script, you could
> make it include other files with stricter permissions, and keep your
> rc.conf permissions as they were.  
> 
> But actually I think you can safely lower the permissions of rc.conf
> itself, as only init should be able to read it (correct me if I'm wrong?).  
> 
> Try it and tell us. :-)  

"Better living through reckless experimentation". :-)

   Although the "Hmm.. I wonder what happens if .."-philisophy does
normally appeal to me, I'm too new to NetBSD to know that I can recover
it, should it give me a cryptic message during boot. I'll try to play it
safe for a few more days...

Via email, I got the tip to add:

if [ -r /etc/rc.private ] ; then
  . /etc/rc.private
fi

   ...to rc.conf, and to to protect rc.private with proper permissions.
(Which is essentially the tip you just gave, so: Thanks! :-)

   On a more security related note: Why is it that most files in /etc
are readable by everyone by default? Files like rc.conf are only of
interrest to init/root, right? If so, why aren't they more restricted by
default?

-- 
Kind Regards,
Jan Danielsson
Te audire no possum. Musa sapientum fixa est in aure.

--------------enig7937A8C5CE841E8D384427D7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDCyi78wBCTJQ8HEIRAuYHAJ9xk0K//5M0JBheKSmhZPJGV3adRACgpyZN
GylcQ7rS5gpoM69LPlfJ44E=
=U7yI
-----END PGP SIGNATURE-----

--------------enig7937A8C5CE841E8D384427D7--