Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Securing /etc - script for Gentoo
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lutel
Tux's lil' helper
Tux's lil' helper


Joined: 19 Oct 2003
Posts: 94
Location: Pomroczna

PostPosted: Sat Feb 29, 2020 1:50 pm    Post subject: Securing /etc - script for Gentoo Reply with quote

Hello,

I've found that /​etc permissions are bit loose and can be secured to much more strict permissions. This is script i'm using for Gentoo servers, default/linux/amd64/17.1 profile. If you like to use it in your environment, please test. For me all services works, but your mileage may vary. Please update this post if you find any other services that should be corrected. Maybe these permissions will be corrected in Gentoo default install.

Code:
chmod -R go-rwx /​etc
chmod -R u+rwX /​etc
chmod 0711 /​etc /​etc/{postgresql-*,bash,terminfo,terminfo/*,ssl,portage,mail,xml,dovecot,dovecot/sieve,vim,ssl/certs}
chmod 0640 /​etc/amavisd.conf
chmod 0644 /​etc/{passwd,group,profile,profile.env,bash/bashrc,bash/bash_logout,DIR_COLORS,terminfo/*/*,resolv.conf,ssl/openssl.cnf,sandbox.d/*,sandbox.conf,nsswitch.conf,host.conf,hosts,services,protocols,spamassassin/*,wgetrc,ld.so.conf,ld.so.conf.d/*,ld.so.cache,xml/docbook,xml/catalog,dovecot/sieve/*,mime.types,vim/*,ssl/certs/*.crt,man_db.conf,*-release}
chmod -R 0700 /​etc/local.d/*.st* /​etc/init.d
chmod -R go+rX /​etc/{sandbox.d,mail/spamassassin,ld.so.conf.d,fonts,pango,env.d}


[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7368

PostPosted: Sat Feb 29, 2020 4:52 pm    Post subject: Reply with quote

/etc is own by root:root with of course no write for users, anything you do next to that is like adding some adhesive tape on your safe
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14973

PostPosted: Sat Feb 29, 2020 5:05 pm    Post subject: Reply with quote

krinn makes an excellent point, but even if you correct for that problem, use of --recursive at such a coarse level is very dependent on what you have installed, and could easily break a system with different packages and requirements. Your post would be generally safer and more helpful if you listed mode changes on specific files, ideally broken out per package so that interested readers could patch specific packages more readily.

I'm a bit surprised you did not also advocate chmod go-r / /*. ;)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum