On Fri, 30 Aug 2002 07:38:45 -0400, Edward Guldemond wrote: >On Thu, Aug 29, 2002 at 02:51:14AM +0100, Nick Boyce wrote: >> >> I decided to start locking down permissions on "sensitive" files on a >> recently installed Woody box, and discovered that when I changed the >> permissions on "hosts.allow" (and "hosts.deny") to 640 then I could no >> longer Telnet into the box [...] > >Maybe this is a lame question in response, but why would users being able >to see hosts.allow and hosts.deny constitute a security hole?
It's a not a security _hole_ as such - the point is just that's it's a bad idea to give an attacker _any_ help whatsoever. We don't want them to be able to learn which other machines on the network are trusted in particular ways ... do we ? The Wily Hacker has to start with the research phase - general reconnaisance - and we want to obstruct them wherever possible. Cheers, Nick Boyce Bristol, UK -- Bombeck's Rule of Medicine: Never go to a doctor whose office plants have died.
