1

A few days ago I installed a new linux os. Today i realize /root has o+r (755) so EVERYONE is able to see my root sql password in /root/.my.cnf. I freaked out and simply changed /root to 750.

My /var/www folder is 2755 but all the folders in it are 2750 (so certain users can browse to the folder without being blind). What software, file permissions and other DEFAULT configuration should I change?

Michael Mrozek
  • 93,103
  • 40
  • 240
  • 233
  • 6
    Please specify the distro you installed. None of the ones I've used set /root to world readable. – Keith Feb 28 '11 at 05:58
  • 2
    @Keith: Really? Ubuntu 8.04 and Debian 6 both have root as readable to others. –  Feb 28 '11 at 08:38
  • 1
    Well, I don't use those. ;-) – Keith Feb 28 '11 at 10:02
  • @acid You sure? AFAIR Debian has never done anything like that (from an oft-unreliable memory), or at least as far as I started using it ~decade ago. Are you sure something didn't get screwed during daily usage? Was this a normal install? What exact OS are you using? – tshepang Feb 28 '11 at 14:40
  • 2
    Always set the permission on files with passwords to 600 or 400. The loosest permission I would allow is 640 or 440 if users in a specific group need access. I have an ssl-certs group where this would apply. – BillThor Feb 28 '11 at 21:58
  • 2
    @Tshepang: /root has always been 755 on Debian and Ubuntu, as far as I remember. My unreliable memory goes back to potato, and I can verify this for machines where the first install was etch, lenny, warty, hardy or lucid. – Gilles 'SO- stop being evil' Feb 28 '11 at 22:38
  • Guys, whatever if it does or not, the question is still the same. Its just an example. What else should i change? I change www-data cause sites need mysql which require useraccounts which can modify their site data. Which is why i limit what can read the www folders. What else can i do? Maybe theres a folder containing mail information i like to limit? maybe there are other things? –  Feb 28 '11 at 22:44
  • @Gilles Maybe I'm lost regarding these permissions thing, but stat -c'%a %A' /root/ gives me 700 drwx------. I don't remember ever being able to go into "/root" directory as non-root. – tshepang Mar 01 '11 at 05:17
  • @Tshepang: Step 1: Download debian or ubuntu Step 2: Install it (perhaps on a VM) Step 3: look at the permissions for /root. Step 4: Wonder why you went through all this trouble when it has nothing to do with the question Step 5: Realize you dont have anything else to the thread ;) –  Mar 01 '11 at 06:23
  • @acid Oh, so one can go inside /root directory even though they don't have permissions to read the directory? – tshepang Mar 01 '11 at 07:32
  • @Tshepang: There seems to be a difference depending on how you install Debian. When I used the Debian Squeeze NetInst while it was in Beta my /root is 755 but my pbuilder chroots have their /root as 700. – Arrowmaster Mar 03 '11 at 15:43
  • @Arr I normally use netinst, and I was never able to even view inside of /root with ls. – tshepang Mar 03 '11 at 17:48

1 Answers1

0

perhaps you should do a scan of your system with a tool like tiger. Tiger will pick up lots of things like this, and is a great way to get lots of advice and suggestions about how to secure your system. Tiger can also be useful as a kind of Intrusion Detection System, too.

simon
  • 1,508
  • It didnt show me the 755 problem (i changed it to 755 for my second scan to see if it picks it up. it didnt) but i like tiger anyways so +1 –  Mar 07 '11 at 22:46
  • hmm, well then I apologise! it will go crazy if root's ~/.ssh folder is world-readable, for example. If Debian ships with /root as 755, and tiger doesn't warn about it, I would take that as a decent indication that it's not an unreasonable setting to operate with. – simon Mar 08 '11 at 01:50