chmod and System account's
Results 1 to 8 of 8

Thread: chmod and System account's

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    3

    Question chmod and System account's

    Hi Guys! I want to change all files in /etc so it's not world readable... But i suppose I can't do an chmod 700 * because then every file will get this configuration. (some files have 600 and I want to keep them that way). How do I do that?! Is it possible?!
    ( chmod ?00 *, where ? keep the current rights)

    Then I wonder if it's possible to disable all system account's or delete them. Like games, uucp and so on.. !?
    Do we really need those accont and group's that are more important like disk, bin, sys. Will it make thing's stop working!?

    Thanks in advance!

    /Devkillen

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Well, "man chmod" is your friend, but...

    Try: "chmod go= *"

    Rather, you should probably understand what each of those files are and what they do... doing this to the passwd file, for example, can have really bad results. I DO NOT recommend you do this...

    And many system accounts you can disable (well, you can disable pretty much all of them, just not delete all of them - like lpd needs to stick around for printing and log rotation and weird things to work). Looking up a "system hardening" book would probably be a good thing... www.sans.org is a good site to start at, most likely.

    Oh... and "chmod g-w,o-w *" will also work... don't always need to use the octal permissions; I often find the mneumonic's better/easier and good for preventing "stupid mistakes."
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  3. #3
    A bit out of topic, but still usefull..

    http://javascriptkit.com/script/script2/chmodcal.shtml

    chmod calculator =)
    Missing em ol BBS' days!
    Virtus - Splashgame.org

  4. #4
    Junior Member
    Join Date
    Nov 2001
    Posts
    10
    Im not sure if its a great idea on some of the files in /etc but maybe this link might help abit...

    http://www.uwsg.iu.edu/edcert/sessio...ir.html#change

    good luck.....

  5. #5
    Member
    Join Date
    Dec 2002
    Posts
    88
    Well, some of them should be world readable. Like passwd, for example. I think you may want to check which of them must be read by anyone, and after that, my advice is that you use chattr in all files. Chattr can set the file immutable, and only root can use this tool. You will need to "chattr off" if you want to write on the files.
    Having accounts like named, lp and others are useful because you use them to run services instead of using root. Since they are limited on what they can do, the risk is lower. They shouldnt have a shell; you may want to use /bin/false as their shell. Check your passwd. At least, it's how I like doing. Check what you use... named, used by BIND (DNS services), amanda (AMANDA backup system), etc. I would delete accounts which are related to services you wont run and use /bin/false as the shell for other system account related to running services. Users have a real shell, of course . Then, chattr on it.

  6. #6
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Hi....

    What OS are you using ?
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Yes, you can do this, but it's a really bad idea.

    Many of the things in /etc need to be world readable. Not just passwd, but loads of other things. Take /etc/profile for an example.

    Maybe if it can't read your shell in /etc/shells, your ftp server won't let you in. Maybe if /etc/resolv.conf is not world readable nothing will be able to do DNS lookups.

    Seriously, it's a bad idea.

  8. #8
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    Try: "chmod go= *"
    Shouldn't that be "chmod go-rw *"?

    I agree with the others. Bad idea. But if you are interested in finding files which may have dangerous permissions, see my tutorial on searching for files by permission. If you understand how octal permissions work, you shouldn't have any trouble understanding the commands I have listed there.

    http://www.antionline.com/showthread...hreadid=234199
    Do what you want with the girl, but leave me alone!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides