> > Files in /etc are designed to be readable to all processes, > including > > user processes. For example, /etc/resolv.conf for looking up hosts, > > /etc/passwd for user details and so on. Anything which > explicitly needs > > to be hidden from normal users can have appropriate permissions set, > > e.g. /etc/shadow is normally only readable by root. > > Below is default debian permission for selected files and catalogs: > > drwxr-xr-x 8 root root 4096 2007-02-05 01:46 apache2 > drwxr-sr-x 2 root bind 4096 2007-02-05 01:48 bind > -rw-r--r-- 1 root root 677 2006-11-07 03:14 hosts.allow > -rw-r--r-- 1 root root 901 2006-11-07 03:14 hosts.deny > -rw-r--r-- 1 root root 1033 2007-02-05 01:48 passwd > drwxr-xr-x 2 root root 4096 2006-11-07 02:38 ssh > drwxr-xr-x 7 root root 4096 2006-11-07 03:14 network > > If change permission > > chmod o-rwx > > will system work correctly?
Apache2: Apache2 starts up as root, and then changes to the user and group specified in the config files (default is www-data:www-data). So, if you change the group owner of apache2 to www-data (and all the files therein), and remove world access (chmod o-rwx), apache should still work. No guarantees, though. Bind: I believe the same holds true for bind, but it's been a long time since I've used it (I use PowerDNS now). Hosts.allow, hosts.deny: Not sure about those. Passwd: This needs to be readable by everyone. Despite the name, there isn't any actual password information in there (it's in /etc/shadow). But any process that needs to look up user information will need access. Even doing a simple "ls" command needs access. Ssh: ssh runs as root, removing world access is probably fine. Network: It's probably okay to remove world access. Hope this helps! -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
