On Mon, Jun 14, 1999 at 06:50:43PM +0200, Sami Dalouche wrote > I have just taken a look at the Debian security and found that Debian is > NOT secure !!! > A lot of files in /etc can be read by all users and they don't need it, so, > it's a security hole. > For exemple, these files : > > hosts.deny # The users shouldn't be able to see > hosts.allow # these files. If they have less informations about the system > suid.conf # it is better. A hacker is dangerous only if he has > # informations. W/o, he's nothing. > syslog.conf # In the same way, the file /etc/issue.net shouldn't > # contains the Unix type and even less the > # Distribution/version. For ex., > ftpusers # If a hacker knows that there is a security hole in login > wu-ftpd-academ/* # v. X.XX which is in Debian Potato, when he will log on, > wwwoffle/* # he'll see > adduser.conf # Debian GNU/Linux potato host.domain.org > anacrontab # and he will be able to break the system. > apache/* > apm/* > apt/* > checksecurity.conf > cron* > dhis/ > efax* > exim.conf > fstab > hosts.equiv > inetd.conf > ircd/ > isapnp* > lftp.conf > lilo.conf > mailname > limits > login.access > login.defs > makedev.cfg > mtab > modules > modutils/ > networks > news/ > pam* > rc* > samba* > vnc.conf > > Why do so many maintainers give too many rights ? All these files have > -rw-r--r--. > > If this is a Debian policy rule, you should change it. >
I understand that it is policy to have it set so. In at least some cases, setting them tighter may be counter-productive: for instance, making hosts.allow/hosts.deny 0600 means that services run by non-root users can't use TCP wrappers; slrn stores its default configuration in /etc/news; if mtab is 0600 normal users can't mount filesystems or use df; and so on. In practical terms, if a user can read /etc without logging in then your system is already compromised in some sense; if they are already logged in and you have software with known, exploitable bugs then there are lots of other ways for them to find them. If you want your system to be secure then it is your responsibility to examine these (and other) permissions to ensure that they match your own, local policy; as they are set by default, I don't think Debian is any less secure than any other UNIX with similar out-of-the-box functionality (quite the contrary). John P. -- [EMAIL PROTECTED] [EMAIL PROTECTED] "Oh - I - you know - my job is to fear everything." - Bill Gates in Denmark
