Skip to content

Secure File Permissions

Who Privacy

On shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:

$ who
username1 ttyp0    Jan 25 03:17   (192.168.0.1)
username2  ttyp6    Jan 25 03:35   (10.0.0.1)

This is quite dangerous for user privacy, so we recommend disabling world read access

$ doas chmod o-rwx /var/run/utmp /var/log/wtmp*
$ who
who: /var/run/utmp: Permission denied

Now users cannot see other IPs so easily. The downside is that commands like uptime break also:

$ uptime
uptime: /var/run/utmp: Permission denied

There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. (marc.info and [nabble.com.md) There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. (marc.info and [nabble.com.md)

Hiding logs

We want to hide our logs from prying eyes:

# chmod -R o-rwx /var/log/ /var/www/logs/
# chown -R _smtpd:_dovecot /etc/mail
# chmod -R o-rx /etc/mail

Hiding home folders

Make sure to check file permissions for folders in /home:

# chmod o-rx /home/botnow
# usermod -G znc botnow
# usermod -G znc _identd
# chown -R znc:znc /home/znc
# chmod -R o-rx /home/znc/home/znc/.znc

Hiding /var

Hide data related to botnow:

# chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/

Hiding /etc

# cd /etc
# chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf

SUID Binaries

Check for any unexpected SUID binaries with:

# find / -perm -4000
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/auth/login_chpass
/usr/libexec/auth/login_lchpass
/usr/libexec/auth/login_passwd
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/sbin/ping
/sbin/ping6
/sbin/shutdown

WARNING: If you see any other binaries, then watch out# You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server.

WARNING: If you installed LaTeX, this is the new setuid root program:

-rwsr-x---  1 root  _dbus  - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper

To prevent this:

$ doas chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper                     
$ ls -lh /usr/local/libexec/dbus-daemon-launch-helper                     
-rwxr-x---  1 root  _dbus  73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper

Checking Group Permissions

Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.

As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.

Check /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:

$ doas chmod o-r /etc/doas.conf

In /etc/ssh/sshd_config, turn off X11 forwarding