Secure File Permissions

Who Privacy

On shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:

$ who
username1 ttyp0    Jan 25 03:17   (192.168.0.1)
username2  ttyp6    Jan 25 03:35   (10.0.0.1)

This is quite dangerous for user privacy, so we recommend disabling world read access

$ doas chmod o-rwx /var/run/utmp /var/log/wtmp*
$ who
who: /var/run/utmp: Permission denied

Now users cannot see other IPs so easily. The downside is that commands like uptime break also:

$ uptime
uptime: /var/run/utmp: Permission denied

There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. (marc.info and nabble.com)

Hiding logs

We want to hide our logs from prying eyes:

# chmod -R o-rwx /var/log/ /var/www/logs/
# chown -R _smtpd:_dovecot /etc/mail
# chmod -R o-rx /etc/mail

Hiding home folders

Make sure to check file permissions for folders in /home:

# chmod o-rx /home/botnow
# usermod -G znc botnow
# usermod -G znc _identd
# chown -R znc:znc /home/znc
# chmod -R o-rx /home/znc/home/znc/.znc

Hiding /var

Hide data related to botnow:

# chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/

Hiding /etc

# cd /etc
# chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf

SUID Binaries

Check for any unexpected SUID binaries with:

# find / -perm -4000
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/auth/login_chpass
/usr/libexec/auth/login_lchpass
/usr/libexec/auth/login_passwd
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/sbin/ping
/sbin/ping6
/sbin/shutdown

WARNING: If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server.

WARNING: If you installed LaTeX, this is the new setuid root program:

-rwsr-x---  1 root  _dbus  - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper

To prevent this:

$ doas chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper                     
$ ls -lh /usr/local/libexec/dbus-daemon-launch-helper                     
-rwxr-x---  1 root  _dbus  73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper

Checking Group Permissions

  1. Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.
  2. As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.

Check /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:

$ doas chmod o-r /etc/doas.conf

In /etc/ssh/sshd_config, turn off X11 forwarding