December 13th, 2002 11:14 AM
chmod and System account's
Hi Guys! I want to change all files in /etc so it's not world readable... But i suppose I can't do an chmod 700 * because then every file will get this configuration. (some files have 600 and I want to keep them that way). How do I do that?! Is it possible?!
( chmod ?00 *, where ? keep the current rights)
Then I wonder if it's possible to disable all system account's or delete them. Like games, uucp and so on.. !?
Do we really need those accont and group's that are more important like disk, bin, sys. Will it make thing's stop working!?
Thanks in advance!
December 13th, 2002 11:19 AM
Well, "man chmod" is your friend, but...
Try: "chmod go= *"
Rather, you should probably understand what each of those files are and what they do... doing this to the passwd file, for example, can have really bad results. I DO NOT recommend you do this...
And many system accounts you can disable (well, you can disable pretty much all of them, just not delete all of them - like lpd needs to stick around for printing and log rotation and weird things to work). Looking up a "system hardening" book would probably be a good thing... www.sans.org is a good site to start at, most likely.
Oh... and "chmod g-w,o-w *" will also work... don't always need to use the octal permissions; I often find the mneumonic's better/easier and good for preventing "stupid mistakes."
\"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"
December 13th, 2002 11:32 AM
A bit out of topic, but still usefull..
chmod calculator =)
December 13th, 2002 12:52 PM
Im not sure if its a great idea on some of the files in /etc but maybe this link might help abit...
December 13th, 2002 02:16 PM
Well, some of them should be world readable. Like passwd, for example. I think you may want to check which of them must be read by anyone, and after that, my advice is that you use chattr in all files. Chattr can set the file immutable, and only root can use this tool. You will need to "chattr off" if you want to write on the files.
Having accounts like named, lp and others are useful because you use them to run services instead of using root. Since they are limited on what they can do, the risk is lower. They shouldnt have a shell; you may want to use /bin/false as their shell. Check your passwd. At least, it's how I like doing. Check what you use... named, used by BIND (DNS services), amanda (AMANDA backup system), etc. I would delete accounts which are related to services you wont run and use /bin/false as the shell for other system account related to running services. Users have a real shell, of course . Then, chattr on it.
December 14th, 2002 03:17 PM
What OS are you using ?
Ubuntu-: Means in African : "Im too dumb to use Slackware"
December 14th, 2002 05:19 PM
Yes, you can do this, but it's a really bad idea.
Many of the things in /etc need to be world readable. Not just passwd, but loads of other things. Take /etc/profile for an example.
Maybe if it can't read your shell in /etc/shells, your ftp server won't let you in. Maybe if /etc/resolv.conf is not world readable nothing will be able to do DNS lookups.
Seriously, it's a bad idea.
December 14th, 2002 07:32 PM
Shouldn't that be "chmod go-rw *"?
I agree with the others. Bad idea. But if you are interested in finding files which may have dangerous permissions, see my tutorial on searching for files by permission. If you understand how octal permissions work, you shouldn't have any trouble understanding the commands I have listed there.
Do what you want with the girl, but leave me alone!