"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: > On Mon, Jan 21, 2002 at 09:45:50PM +0000, Tim Haynes wrote: > > > Is there any reason you can't just chmod 0600 /root/.my.cnf, in that >> > case? Clearly there are individual files that you don't want >> > world-readable, but that's true for normal users' home dirs as well. >> >> Why do you want folks to be able to *see* that you have a .my.conf in >> there? > > What difference does it make? They know you have an /etc/shadow, > /var/mail/$USER, ~/.bash_history, etc etc etc.
1 out of 3 ain't bad, apparently. > Those don't need to be in read-protected directories. They can 'ls' them > all they want, but it won't get them anywhere. This is where the per-file permissions come in. See below. >> Directory and file permissions work together; block r on the dir and the >> users won't be able to _ls_ in it. Block permissions on the file as >> well, and they won't be able to read it should they guess its existence. >> All to the good, as far as I'm concerned! > > Multiple layers of security are one thing, but this doesn't get you > anything. Compromise one layer and you've necessarily compromised the > other. What makes you think .my.conf is the *only* thing I'm going to want to keep in /root/? Permissions on the directory are not only a necessary part of protecting the contents, but a forward-looking prevention against the day you choose to store your "firewall.sh" in there for all to see as well. And your ipv6.sh. And... ~Tim -- <http://spodzone.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
