-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'd like to cast a vote for more restrictive permisions as well Access to files & directories should be as restrictive as possible out of the box. If a user or 3rd party app need more access to any given area I'll give it as long as it doesn't break the security poilicy.
/root is one place regular users should never be allowed to look into /var/log IMHO is another (but that is another flame war :) I also like change the default umask in the root & users profiles to 0027 or 0077 wherever I can. Trimming out unwanted packages from the default minimal install is another place I seem to spend some time :( Jan. On Saturday 08 Mar 2003 5:47 pm, Dale Amon wrote: : On Sat, Mar 08, 2003 at 07:12:13PM +0200, Birzan George Cristian wrote: : > I've talked with several other friends, and most of them (5 to 1), : > agreed that /root/ shouldn't be 755, but something more restrictive. : : I'm in agreement as well. I use /root as a common : communication area among admin staff. Admin staff : have their own home directories but prefer them keep : them private. /root is a good place to put things : which are intended to be "public" to the admin : group. sudo is fine for doing many things, but not : everything. : : I use cfengine2 to force it at least to 750. I also : use cfengine2 to enforce all sorts of harsher : preferences so that I automatically override : some of the weaker debian settings within minutes : of doing an apt-get or dselect upgrade. : : When you have multiple people, working over long : periods of time (years), with varying stress : conditions, there will at some point be mistakes : made. That's why defense in depth is so important. : The more layers of protection you can place the : more likely a single mistake won't leave you : wide open. : : -- : ------------------------------------------------------ : IN MY NAME: Dale Amon, CEO/MD : No Mushroom clouds over Islandone Society : London and New York. www.islandone.org : ------------------------------------------------------ - -- ________________________________ Eagles may soar, but weasles don't get sucked into jet engines ________________________________ Jan Eringa Unix Admin ________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE+bKhPX4LWCZ7JjaMRAttSAKDAthz7wVI2cbRb8+VbPfNy7Q2d1ACfbIoD AlgCVtVn0J4Tx8SmnRhd3Ks= =4/2c -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
