Red Hat

Hi experts,
I have RHEL6 system which I want to tighten by having strict permissions for some important files. Looks like, RHEL has below permissions by default:-

Code:

/etc/passwd:644:root:root
   /etc/shadow:000:root:root
      /etc/services:644:root:root
   /etc/hosts.allow:644:root:root

I am thinking of setting the permissions something like:-

Code:

  /etc/passwd:444:root:sys
  /etc/shadow:400:root:sys
    /etc/services:444:root:sys
  /etc/hosts.allow:644:root:sys

Could anyone please throw some light on the side effects I may face with these changes? I am especially concerned about first 3 entries. Also, I was wondering whether using sys as group is a good thing or not!

Do not make any of these changes.
Do not make any of these changes.
Do not make any of these changes.


Nuff said.

Thanks a lot for the reply. But I have similar permissions on hardened solaris systems!! That's why I was thinking about such a change. Just curious, are these changes on the weaker side because of the group? Or is there anything else?

Linux is not Solaris. You're messing with the files that allow you to log into the system! One mistake and you lock yourself out so hard you need a recovery cd to fix it. Even what you get on this 'hardened' Solaris system may not be what you get on other Solaris systems. blindly copying it may lead to disaster. It might be in your interest to find out what these permissions actually mean, what they actually do, and why Solaris actually has them before duplicating them. It'd also be good to find out all the changes made for hardening that system, not just the ones you happened to notice, because they may not work right unless you make all of them.

Furthermore: Linux is not Solaris. You must also check if they're meaningful outside Solaris.

The 'sys' group for instance: What does it do? Who's in it? What permissions is 'sys' membership supposed to grant, what utilities respect it, etc, etc. It's not used at all on my Linux system, blindly changing the permissions would just evict everyone and everything in the root group from rightful access.

Also: changing 644 to 444 on /etc/passwd, or 000 to 600 for /etc/shadow. These are useless. Root can write to any file, even ones set 000.

And you don't want to mess with the password and shadow files. At all. Ever. They weren't "soft" and never needed "hardening". They may require certain file permissions, programs using them may refuse to operate if they don't!

When in doubt, don't. These files weren't "soft" in the first place. Any actual security problems will lie in more subtle things.

I guessed that you had got some random advice about another O/S.

RHEL6 and Solaris are quite different.

@Corona688,

Thanks a lot for the inputs. Yes you're right, /etc/passwd and /etc/shadow were already hard enough. And changing the group will only soften them as "sys" has more users. Like you said I need to make further investigation!

@methyl,
I was actually comparing RHEL with my Solaris nodes. These permissions went into the Solaris systems after a lot of analysis. So similar thing needs to be done on RHEL also I think.

I hope you mean similar analysis, not similar fixes.