From owner-freebsd-questions@FreeBSD.ORG Thu Jan 7 21:22:07 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87EE9106566B for ; Thu, 7 Jan 2010 21:22:07 +0000 (UTC) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net [69.17.117.10]) by mx1.freebsd.org (Postfix) with ESMTP id 5FEED8FC16 for ; Thu, 7 Jan 2010 21:22:07 +0000 (UTC) Received: (qmail 29065 invoked from network); 7 Jan 2010 21:22:06 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 7 Jan 2010 21:22:06 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 7015450825; Thu, 7 Jan 2010 16:22:05 -0500 (EST) From: Lowell Gilbert To: APseudoUtopia References: <27ade5281001071109m66eb5f83j6042ba5a19c3b443@mail.gmail.com> Date: Thu, 07 Jan 2010 16:22:05 -0500 In-Reply-To: <27ade5281001071109m66eb5f83j6042ba5a19c3b443@mail.gmail.com> (apseudoutopia@gmail.com's message of "Thu, 7 Jan 2010 14:09:29 -0500") Message-ID: <44fx6hhapu.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: FreeBSD Questions Subject: Re: Security Hardening: Removing Permissions; Suggestions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: FreeBSD Questions List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 21:22:07 -0000 APseudoUtopia writes: > Hey list, > > I'm working on a shell script that basically removes the group and the > other permissions from certain files to harden my system. Right now, > the only files I'm doing this on is the GCC compiler collection. I'm > asking for suggestions on other files that these permissions can be > removed from in order to help further secure the system (a headless db > and web server). > > $CHMOD o=,g= /usr/bin/cc > $CHMOD o=,g= /usr/bin/cpp > $CHMOD o=,g= /usr/bin/gcov > $CHMOD o=,g= /usr/bin/ld > $CHMOD o=,g= /usr/bin/gdb > $CHMOD o=,g= /usr/bin/c++ This kind of approach hardly ever makes sense any more. Unless you've got a really good reason, putting the daemons and untrusted users into jails (not even necessarily the same jails) is almost certainly going to give you all the advantages you could get out of blocking off applications one at a time. The jails don't need compilers in the first place. Disabling the compiler is pretty much useless if the web server's users are going to be allowed to copy their own files onto the machine anyway. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/