You are not logged in.
- Topics: Active | Unanswered
#1 2012-05-05 03:35:11
- Cylinder57
- Member
- Registered: 2012-04-30
- Posts: 29
Which folders should I only allow root to read?
Hello everyone,
From this website: https://wiki.archlinux.org/index.php/Se … ermissions
I only saw this command in "Filesystem permissions:"
chmod 700 /boot /etc/{iptables,arptables}
Which other folders should I change permission to only allow root to read? In other words, which other folders should I configure with "chmod 700?" I'm doing this because I want to hide folders from attackers who gain access to non-root accounts. I'm also asking this because I don't want to break my system from allowing only root access to a folder that is supposed to run something more critical (e.g. desktop.)
Offline
#2 2012-05-08 16:57:14
- kYd
- Member
- Registered: 2009-01-20
- Posts: 78
Re: Which folders should I only allow root to read?
I'm no expert, but I think out of the box the permissions are pretty much sound; but, I do like to make sure a few are set to 700 that otherwise aren't, some of these may already be so:
/etc/iptables
the wireless keys stored in /etc/wicd/wireless-settings.conf
/boot, but I do not have this automatically mounted in fstab
/etc/{rc.conf, rc.local}
.ssh, obviously this should be set already to 'you'
Offline
#3 2012-05-08 17:31:53
- rwd
- Member
- Registered: 2009-02-08
- Posts: 664
Re: Which folders should I only allow root to read?
Agreed with kYd that the defaults are good. The deskop environment needs to read /etc/xdg, and x needs /etc/x11, but most folders and files in /etc/ have the name of the application that uses it, so if you know that a particular application runs as non-root (can be seen with 'ps aux' ) it is useful that it can read the file, otherwise it will use built in defaults. But why not just try change read-access watch the system logs and see what breaks 
. The worst thing that can happen is that you need to boot from a cd and restore the original permissons.
A good read about linux/bsd/unix security in general, as mentioned in that wiki page is this:
http://www.auscert.org.au/render.html?i … mplate=1#D
Last edited by rwd (2012-05-08 17:40:40)
Offline