Quote:
Originally Posted by
shreeda
Thanks a lot for the reply. But I have similar permissions on hardened solaris systems!!
Linux is not Solaris.
Quote:
That's why I was thinking about such a change. Just curious, are these changes on the weaker side because of the group? Or is there anything else?
You're messing with the files that allow you to log into the system! One mistake and you lock yourself out so hard you need a recovery cd to fix it. Even what you get on this 'hardened' Solaris system may not be what you get on other Solaris systems. blindly copying it may lead to disaster. It might be in your interest to find out what these permissions actually mean, what they actually do, and why Solaris actually has them before duplicating them. It'd also be good to find out
all the changes made for hardening that system, not just the ones you happened to notice, because they may not work right unless you make all of them.
Furthermore: Linux is not Solaris. You must also check if they're meaningful outside Solaris.
The 'sys' group for instance: What does it do? Who's in it? What permissions is 'sys' membership supposed to grant, what utilities respect it, etc, etc. It's not used at all on my Linux system, blindly changing the permissions would just evict everyone and everything in the root group from rightful access.
Also: changing 644 to 444 on /etc/passwd, or 000 to 600 for /etc/shadow. These are useless. Root can write to
any file, even ones set 000.
And you
don't want to mess with the password and shadow files. At all. Ever. They weren't "soft" and never needed "hardening". They may
require certain file permissions, programs using them may refuse to operate if they don't!
When in doubt, don't. These files weren't "soft" in the first place. Any actual security problems will lie in more subtle things.