Subject: Re: more restrictive permissions
To: None <port-cobalt@NetBSD.org>
From: Brian <bmcewen@comcast.net>
List: port-cobalt
Date: 11/06/2004 08:27:25
On Thursday, November 4, 2004, at 09:33 PM, Brian wrote:

>
> I'd like to set up more restrictive permissions than default, but I"m 
> not totally sure of the best way to go without risking locking 
> something important out.
>
> For users home directories, I don't have a problem with setting 700, 
> but what's the best way for /etc and similar? 700 should be OK, right? 
> root could do anything, processes that run as root could do what they 
> need, regular users would be out.  Except for /tmp of course.
>
> Do I risk breaking some things by doing that?  IF so, what can I get 
> away with/ should I do instead?
>

Ok, this was greeting with resounding silence ;) which makes me think 
it's a stupid question.

I asked as I noticed that permissions on /home were kind of loose 
(looser than any univ. system I've ever worked on), and I could read a 
lot of system files when logged in as a user, even though I could only 
actually change them as root.  I just don't wish to have that much 
stuff open, as is in the default install.  Mostly as I've worked on 
systems where all that was locked away.  My tiny little home system, 
I'm sure it's not that big a deal, but it just feels wrong somehow to 
have all that o:r when it's always been closed to before (as far as I 
know).

Anyway, looking around, I found that if I change permissions on 
/etc/mailer.conf to 700, none but root can send email.  I am surprised 
by this, I expected sendmail to be able to read it's own .conf no 
matter what.  Evidently that is not a setUID application.

So, I can break things by simply restricting access, and break things 
that I thought would be running as root and able to read their .conf 
files etc.

Other un*x flavors have scripts you can run to set relevant permissions 
to harden the system; but I've not found anything for NetBSD.  In all 
seriousness, I've googled, I've RTFM such as it is, I'm still in the 
dark about what I can close off, and what I cannot.

Comments are appreciated!  And, don't worry, this is the last weekend 
for a while that I'll have time to mess with the unix box :)

Thanks for help;

Brian
-- 
... we parted each feeling
superior to the other and is not that
feeling after all one of the great
desiderata of social intercourse
-archy
_The Life and Times of Archy and Mehitabel_