Hi, as one of security meausures, I learned that it is a good idea to do chmod 550 /proc/sys and chmod 550 /proc/net. First question I have, is this true? It seems right, because ordinary users cannot view network or system information, which is not a bad thing. Second question is, I implemented the above, but after a reboot permisions were back to standard ( I believe 555). How come? Thanks Max
Hi, On Thu, 3 Aug 2000 mgribov@kplab.com wrote:
as one of security meausures, I learned that it is a good idea to do chmod 550 /proc/sys and chmod 550 /proc/net. First question I have, is this true? It seems right, because ordinary users cannot view network or system information, which is not a bad thing. Second question is, I implemented the above, but after a reboot permisions were back to standard ( I believe 555). How come?
The /proc filesystem is not a normal directory on your hard disk, it is just "mapped" into the directory structure. It is a very dynamic structure - I am surprised you can even chmod something inside there :) If you want to chmod this file every time you reboot, you should add the chmod command to the init script /sbin/init.d/boot.local. However, I am not sure about the benefit... Bye, LenZ -- ------------------------------------------------------------------ Lenz Grimmer SuSE GmbH mailto:grimmer@suse.de Schanzaeckerstr. 10 http://www.suse.de/~grimmer/ 90443 Nuernberg, Germany Poker Face: The face that launched a thousand chips.
I am surprised you can even chmod something inside there :)
Hi,
On Thu, 3 Aug 2000 mgribov@kplab.com wrote:
as one of security meausures, I learned that it is a good idea to do chmod 550 /proc/sys and chmod 550 /proc/net. First question I have, is this true? It seems right, because ordinary users cannot view network or system information, which is not a bad thing. Second question is, I implemented the above, but after a reboot
hmmm... so knowing this now, I am wondering, what part of linux would have to be re-weritten to alter /proc's structure permanently? Like my own permissions which will always be there, after reboot or otherwise. And I am not talking about putting a few lines into boot.local : ) ----- Original Message ----- From: Lenz Grimmer <grimmer@suse.de> To: <suse-security@suse.com> Sent: Thursday, August 03, 2000 11:48 AM Subject: Re: [suse-security] /proc permisions
were back to standard ( I believe 555). How come?
The /proc filesystem is not a normal directory on your hard disk, it is just "mapped" into the directory structure. It is a very dynamic structure - I am surprised you can even chmod something inside there :)
If you want to chmod this file every time you reboot, you should add the chmod command to the init script /sbin/init.d/boot.local. However, I am not sure about the benefit...
Bye, LenZ -- ------------------------------------------------------------------ Lenz Grimmer SuSE GmbH mailto:grimmer@suse.de Schanzaeckerstr. 10 http://www.suse.de/~grimmer/ 90443 Nuernberg, Germany Poker Face: The face that launched a thousand chips.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-----BEGIN PGP SIGNED MESSAGE----- There is a kernel patch for that and more http://www.openwall.com/linux/ - --- Bogdan Zapca System Administrator SC EcoSoft SA Internet Service Provider 1-7 Deva st, Cluj-Napoca, Romania Tel: +40 64 199696 PGP: http://www.itotal.ro/lupe@admin2.ecosoft.ro.pgp http://www.ecosoft.ro -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBOYmXy9Pv6ylvTc6pAQFFPgP/cNAi9OFeW3LUpLknSxKzMJYVGyxL9M3A vFq4HvdqYxxSG9X1EHN1Eywn6W311F7Pm8UZ+r5Y4t+ISAvNGqYqyvYc/1C5IbXZ 2qfbeDmTXc5Kra8XtSlabfqYepkHzN1uygKA07+oo5Lq2I7cH7aKfoTBPU2782Fh gFsrS4RZJDc= =+hXr -----END PGP SIGNATURE-----
Hi, On Thu, 3 Aug 2000 mgribov@kplab.com wrote:
so knowing this now, I am wondering, what part of linux would have to be re-weritten to alter /proc's structure permanently? Like my own permissions which will always be there, after reboot or otherwise. And I am not talking about putting a few lines into boot.local : )
Then you should have a closer look at /usr/src/linux/fs/proc/inode.c and recompile the kernel :) Bye, LenZ -- ------------------------------------------------------------------ Lenz Grimmer SuSE GmbH mailto:grimmer@suse.de Schanzaeckerstr. 10 http://www.suse.de/~grimmer/ 90443 Nuernberg, Germany Your sin, was it of omission, commission, or emission?
participants (3)
-
Bogdan Zapca -
Lenz Grimmer -
mgribov@kplab.com