UNIX for Dummies Questions & Answers

I would like to configure my SuSE 7.0 workstation more securely. I have attempted for about two weeks to find a guideline on good practices for the file and directory permissions.........but to no avail.

Does anyone have a guideline that I could use to help me out. I realize that the distros are each a little different....but any help at all would be most generously appreciated.

Thanks.

I am not sure that such guidelines exist. Other than what are specified already by the UNIX standard for the version of UNIX that you are using. I think your real question is about security. Correct?

What are you trying to accomplish with this? UNIX is by definition fairly secure, but only depending on the honesty of the users on your box.

If you are attempting to "lock down" your box, that will be very hard to do. Permissions must remain the way they are as defaulted during the install process. If you try to lock down the box too much, your OS will have problems or your users will not be able do work on the box.

Give a few examples of what you are trying to do.

For example.......i know that i need to allow access to alot of the /etc directory; using the mode 644 (-rw-r--r--) permissions.

/var/log should also be mode 644.

Reduce the amount of setuid and setgid files as much as possible.

nosuid option for /etc/fstab.



***************
This is really what i am looking for.....just general guidelines. Problem is that, I do not fully understand the procedures and processes of the kernel and modules.

I'm just wanting to have somewhere to start. Does that explain my intentions?

Un sure if this page could help your problem. But its worth a try. CHeck it out.

http://www.uwsg.indiana.edu/usail/ta...r/fileper.html

I am not sure what your ultimate goal is. Why are you so concerned with permissions?

You are playing with fire if you change too many permissions. /etc is a VERY important directory. I know this because I had some sabotage in one of my boxes. /etc was messed up bad. Someone had changed all my files and subdirs to 444 permissions. My system almost shutdown.

Most of the daemons that run are linked to /etc. Many configuration files are located here. I would say that /etc is the most important filesystem after the box is up and running.

Please let us know what your thinking is and what has spurred you to take up this quest for modifying file permissions.

I think you are chasing your tail, just a little bit.

Don't take this the wrong way. Only as a word of caution.

The permissions you set on /etc and /var are normally done because of Sendmail - it will complain if those are group writable. Changing to what you did will not effect your system.


As far as locking down a server - try this one

Lexx, that is very inappropriate to say.
While OpenBSD is "secure by default", you will find yourself installing lots of stuff from the ports packages (and from other places) if you want a functioning home system. I use both OpenBSD and Linux, and have not had a problem with either, because I took the stance that the OP did. You cannot rely on the OS for all security; as there is not a whole lot of chance of somebody exploiting a flaw in the kernel itself remotely (although it may very well be possible, look at all the hooplah with zlib in the Linux kernel recently). The thing you have to worry about are the applications it runs. In the case of OpenBSD, two new exploits have been announced for it. One of them, released 4/11, is a local root exploit. I'm sure you have recompiled /usr/bin/mail with the appropriate patch (released 4/8 - 3 days before the public release of the hole) applied, right?

thomas.jones, do you have any other people who log in to the box besides yourself? If not, your worries are somewhat mitigated. The key point is to not offer any exploitable services (a key point to OpenBSD's security model). Under most circumstances, you do not need any ports listening. On my home Redhat box, I do not have any. If I ever do run X, I run it with --nolisten, to keep port 6000 closed. I don't even start inetd or xinetd, not do I provide any other services. On top of that, I can always activate my firewall rules to control any services I may open temporarily.

Let me know what you're using the machine for, and perhaps I can help with recomendations or links to recomendations.