FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-20-2010, 11:45 PM
Ski Dawg
 
Default directory permissions set to 600?

Hello all,

Today, I ran across a directory in /etc/ on one of our servers whose
permissions where set to 600 (drw-------) with root being the owner.
The directory is for the firewall package for the server, so it is not
something malicious. Checking some other systems, they also have this
directory and the permissions on those servers is also 600, so it
isn't just a messed up permissions on this one machine.

What is the difference between permissions of 600 and 700 for a
directory, that is owned by root (group root)? Is there a reason why
some directory should be set to 600 instead of 700?
--
Doug

Registered Linux User #285548 (http://counter.li.org)
----------------------------------------
Never trust a computer you can't throw out a window.
-- Steve Wozniak
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-20-2010, 11:54 PM
Larry Brower
 
Default directory permissions set to 600?

Ski Dawg wrote:
> Hello all,
>
> Today, I ran across a directory in /etc/ on one of our servers whose
> permissions where set to 600 (drw-------) with root being the owner.
> The directory is for the firewall package for the server, so it is not
> something malicious. Checking some other systems, they also have this
> directory and the permissions on those servers is also 600, so it
> isn't just a messed up permissions on this one machine.
>
> What is the difference between permissions of 600 and 700 for a
> directory, that is owned by root (group root)? Is there a reason why
> some directory should be set to 600 instead of 700?


600 is read and write for the owner whereas 700 is read write and
execute. If there is nothing in the folder that needs to be executed
than 600 would be correct.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-20-2010, 11:57 PM
John R Pierce
 
Default directory permissions set to 600?

On 07/20/10 4:54 PM, Larry Brower wrote:
> Ski Dawg wrote:
>> Hello all,
>>
>> Today, I ran across a directory in /etc/ on one of our servers whose
>> permissions where set to 600 (drw-------) with root being the owner.
>> The directory is for the firewall package for the server, so it is not
>> something malicious. Checking some other systems, they also have this
>> directory and the permissions on those servers is also 600, so it
>> isn't just a messed up permissions on this one machine.
>>
>> What is the difference between permissions of 600 and 700 for a
>> directory, that is owned by root (group root)? Is there a reason why
>> some directory should be set to 600 instead of 700?
>
> 600 is read and write for the owner whereas 700 is read write and
> execute. If there is nothing in the folder that needs to be executed
> than 600 would be correct.

um... on a directory, the X bit means you can LS the contents of the
directory. of course, root ignores this anyways and overrides it.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2010, 12:17 AM
Robert Heller
 
Default directory permissions set to 600?

At Tue, 20 Jul 2010 16:57:11 -0700 CentOS mailing list <centos@centos.org> wrote:

>
> On 07/20/10 4:54 PM, Larry Brower wrote:
> > Ski Dawg wrote:
> >> Hello all,
> >>
> >> Today, I ran across a directory in /etc/ on one of our servers whose
> >> permissions where set to 600 (drw-------) with root being the owner.
> >> The directory is for the firewall package for the server, so it is not
> >> something malicious. Checking some other systems, they also have this
> >> directory and the permissions on those servers is also 600, so it
> >> isn't just a messed up permissions on this one machine.
> >>
> >> What is the difference between permissions of 600 and 700 for a
> >> directory, that is owned by root (group root)? Is there a reason why
> >> some directory should be set to 600 instead of 700?
> >
> > 600 is read and write for the owner whereas 700 is read write and
> > execute. If there is nothing in the folder that needs to be executed
> > than 600 would be correct.
>
> um... on a directory, the X bit means you can LS the contents of the
> directory. of course, root ignores this anyways and overrides it.

Note that execute access is only needed on a directory if you want to
list its contents (eg ls). If you know ahead of time the name of the
file in the directory you seek to access, you don't need execute access
on the directory. Not having execute access on a directory keeps
'noisy' people from discovering the contents of the directory. This is
a not unreasonably security setting.

>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>

--
Robert Heller -- 978-544-6933
Deepwoods Software -- Download the Model Railroad System
http://www.deepsoft.com/ -- Binaries for Linux and MS-Windows
heller@deepsoft.com -- http://www.deepsoft.com/ModelRailroadSystem/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2010, 12:24 AM
Larry Brower
 
Default directory permissions set to 600?

Robert Heller wrote:
> At Tue, 20 Jul 2010 16:57:11 -0700 CentOS mailing list <centos@centos.org> wrote:
>
>> On 07/20/10 4:54 PM, Larry Brower wrote:
>>> Ski Dawg wrote:
>>>> Hello all,
>>>>
>>>> Today, I ran across a directory in /etc/ on one of our servers whose
>>>> permissions where set to 600 (drw-------) with root being the owner.
>>>> The directory is for the firewall package for the server, so it is not
>>>> something malicious. Checking some other systems, they also have this
>>>> directory and the permissions on those servers is also 600, so it
>>>> isn't just a messed up permissions on this one machine.
>>>>
>>>> What is the difference between permissions of 600 and 700 for a
>>>> directory, that is owned by root (group root)? Is there a reason why
>>>> some directory should be set to 600 instead of 700?
>>> 600 is read and write for the owner whereas 700 is read write and
>>> execute. If there is nothing in the folder that needs to be executed
>>> than 600 would be correct.
>> um... on a directory, the X bit means you can LS the contents of the
>> directory. of course, root ignores this anyways and overrides it.
>
> Note that execute access is only needed on a directory if you want to
> list its contents (eg ls). If you know ahead of time the name of the
> file in the directory you seek to access, you don't need execute access
> on the directory. Not having execute access on a directory keeps
> 'noisy' people from discovering the contents of the directory. This is
> a not unreasonably security setting.
>
>>

This is what I meant to imply, however was not clear when I responded.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2010, 02:36 AM
Gordon Messmer
 
Default directory permissions set to 600?

On 07/20/2010 05:17 PM, Robert Heller wrote:
>> um... on a directory, the X bit means you can LS the contents of the
>> directory. of course, root ignores this anyways and overrides it.
>
> Note that execute access is only needed on a directory if you want to
> list its contents (eg ls). If you know ahead of time the name of the
> file in the directory you seek to access, you don't need execute access
> on the directory.

You and John are both incorrect. Read access is sufficient to get a
list of files and directories in a given directory. The execute bit on
a directory is required to access the directory's contents. If a
directory is 'rw-' for a user (other than root), the user can get a list
of its contents using 'ls'. However, since the contents are not
available, the user cannot stat() the names to determine what type of
file they are, their size, their owner/group, etc. The user will also
not be able to chdir to a sub-directory without execute access.

The fact that Doug has a directory with octal mode 0600 is probably an
oversight which goes unnoticed because the root user gets the privilege
of lax security checks.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2010, 03:20 AM
Stephen Harris
 
Default directory permissions set to 600?

On Tue, Jul 20, 2010 at 05:45:36PM -0600, Ski Dawg wrote:
> Hello all,
>
> Today, I ran across a directory in /etc/ on one of our servers whose
> permissions where set to 600 (drw-------) with root being the owner.

Heheheheh. That machine is so broken. Even 0700 would be unbelievably
broken

> The directory is for the firewall package for the server, so it is not
> something malicious. Checking some other systems, they also have this
> directory and the permissions on those servers is also 600, so it
> isn't just a messed up permissions on this one machine.

Sounds like some messed up wanna-be security person who doesn't grok Unix.

Basically nothing non-root running will work properly on these machines.
And if everything is designed to run as root then the architect has
shown other issues. "root" is the user of last recourse on a properly
managed server.

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2010, 03:30 AM
Keith Keller
 
Default directory permissions set to 600?

On Tue, Jul 20, 2010 at 07:36:17PM -0700, Gordon Messmer wrote:
>
> You and John are both incorrect. Read access is sufficient to get a
> list of files and directories in a given directory. The execute bit on
> a directory is required to access the directory's contents. If a
> directory is 'rw-' for a user (other than root), the user can get a list
> of its contents using 'ls'. However, since the contents are not
> available, the user cannot stat() the names to determine what type of
> file they are, their size, their owner/group, etc. The user will also
> not be able to chdir to a sub-directory without execute access.

IOW, ls will work fine, but ls -l will not. (To be specific, a plain
old /bin/ls will work fine. If you have any ls options that need to read
the contents of the directory, like -l or -F, it'll b0rk.)

On Tue, Jul 20, 2010 at 11:20:57PM -0400, Stephen Harris wrote:
>
> Basically nothing non-root running will work properly on these machines.
> And if everything is designed to run as root then the architect has
> shown other issues. "root" is the user of last recourse on a properly
> managed server.

If it's an embedded server, like a home wifi router device, running
everything as root isn't such a big deal. If it's a real server it's in
deep trouble.

--keith

--
kkeller@wombat.san-francisco.ca.us

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2010, 03:49 AM
Stephen Harris
 
Default directory permissions set to 600?

On Tue, Jul 20, 2010 at 08:30:48PM -0700, Keith Keller wrote:
> On Tue, Jul 20, 2010 at 11:20:57PM -0400, Stephen Harris wrote:
> > Basically nothing non-root running will work properly on these machines.
> > And if everything is designed to run as root then the architect has
> > shown other issues. "root" is the user of last recourse on a properly
> > managed server.
>
> If it's an embedded server, like a home wifi router device, running
> everything as root isn't such a big deal. If it's a real server it's in
> deep trouble.

/me glances at the Centos mailing list header...

OK :-)

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-21-2010, 05:42 AM
Gordon Messmer
 
Default directory permissions set to 600?

On 07/20/2010 08:30 PM, Keith Keller wrote:
>
> IOW, ls will work fine, but ls -l will not. (To be specific, a plain
> old /bin/ls will work fine. If you have any ls options that need to read
> the contents of the directory, like -l or -F, it'll b0rk.)

Well, to be *specific*, reading the contents of the directory is
allowed. That's what 'ls' will do. The attributes of the files
contained within the directory are not read from the directory. They're
returned by stat() on the paths composed of the directory path plus the
names returned by reading the directory. The stat() call will fail,
since you can read the directory's own content, but cannot access any of
the items within the directory.

> If it's an embedded server, like a home wifi router device, running
> everything as root isn't such a big deal. If it's a real server it's in
> deep trouble.

They're the configuration files for a firewall package. It's fine that
they're readable only by root. No other user would have any use for
them, as only the root user can manipulate iptables entries.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:04 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org