Re: Permissions on /root/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'd like to cast a vote for more restrictive permisions as well
Access to files & directories should be as restrictive as possible
out of the box. If a user or 3rd party app need more access to any
given area I'll give it as long as it doesn't break the security poilicy.
/root is one place regular users should never be allowed to look into
/var/log IMHO is another (but that is another flame war :)
I also like change the default umask in the root & users profiles
to 0027 or 0077 wherever I can.
Trimming out unwanted packages from the default minimal install is another
place I seem to spend some time :(
Jan.
On Saturday 08 Mar 2003 5:47 pm, Dale Amon wrote:
: On Sat, Mar 08, 2003 at 07:12:13PM +0200, Birzan George Cristian wrote:
: > I've talked with several other friends, and most of them (5 to 1),
: > agreed that /root/ shouldn't be 755, but something more restrictive.
:
: I'm in agreement as well. I use /root as a common
: communication area among admin staff. Admin staff
: have their own home directories but prefer them keep
: them private. /root is a good place to put things
: which are intended to be "public" to the admin
: group. sudo is fine for doing many things, but not
: everything.
:
: I use cfengine2 to force it at least to 750. I also
: use cfengine2 to enforce all sorts of harsher
: preferences so that I automatically override
: some of the weaker debian settings within minutes
: of doing an apt-get or dselect upgrade.
:
: When you have multiple people, working over long
: periods of time (years), with varying stress
: conditions, there will at some point be mistakes
: made. That's why defense in depth is so important.
: The more layers of protection you can place the
: more likely a single mistake won't leave you
: wide open.
:
: --
: ------------------------------------------------------
: IN MY NAME: Dale Amon, CEO/MD
: No Mushroom clouds over Islandone Society
: London and New York. www.islandone.org
: ------------------------------------------------------
- --
________________________________
Eagles may soar, but weasles don't get sucked into jet engines
________________________________
Jan Eringa
Unix Admin
________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE+bKhPX4LWCZ7JjaMRAttSAKDAthz7wVI2cbRb8+VbPfNy7Q2d1ACfbIoD
AlgCVtVn0J4Tx8SmnRhd3Ks=
=4/2c
-----END PGP SIGNATURE-----
Reply to: