Debian security /etc permissions

debianlinuxpermissions

I'm setting up a debian box with shared webhhosts.
These users don't have ssh permissions, just ftp.
The users are allowed to use PHP and I setup suphp for that so the php processes runs under their own user account, etc.

I'm a little bit worried about the security of the system files, especially the /etc folder. I notice that most files in this directory have permissions like:

    drwxr-xr-x  2 root root    4096 Mar  4 20:00 pam.d
    -rw-r--r--  1 root root    1358 Mar  5 00:48 passwd
    -rw-------  1 root root    1358 Mar  5 00:48 passwd-
    drwxr-xr-x  2 root root    4096 Feb 18 14:22 pear
    drwxr-xr-x  4 root root    4096 Apr 29  2010 perl
    drwxr-xr-x  6 root root    4096 Feb 18 14:22 php5
    drwxr-xr-x  2 root root    4096 Mar  4 17:42 phpmyadmin

Are the read-world permissions which debian standard gives the files in /etc really needed? What's the best mask I can give those files? Are there any files in /etc that should be world readable?

Best Answer

The default permissions are fine, and needed. If you e.g. didn't leave passwd world readable, a lot of user-related functionality would stop working. File such as /etc/shadow shouldn't be (and aren't) world readable.

Trust the OS to get this right, unless you know very well that the OS is wrong.

Related Solutions

CentOS – Resolving Write Permission Issues

The installation of Apache may appears to be running as root but in actuality it's running as the user apache. You can check this by looking in this file:

$ grep "^User" /etc/httpd/conf/httpd.conf
User apache

Your entire wordpress directory should likely be owned by this user if you're planning on managing the installation using wordpress through the web UI.

I usually create a separate directory for wordpress like this:

$ pwd
/var/www
$ ls -l | grep wordpress
drwxr-xr-x. 5 apache apache    4096 Apr 25 19:27 wordpress

Here's the contents of the wordpress directory just so you can see it:

-rw-r--r--. 1 apache apache      395 Jan  8  2012 index.php
-rw-r--r--. 1 apache apache  5009441 Jan 23 13:40 latest.tar.gz
-rw-r--r--. 1 apache apache    19929 May  6  2012 license.txt
-rw-r--r--. 1 apache apache     9177 Jan 25 11:25 readme.html
-rw-r--r--. 1 apache apache     4663 Nov 17  2012 wp-activate.php
drwxr-xr-x. 9 apache apache     4096 Dec 11  2012 wp-admin
-rw-r--r--. 1 apache apache      271 Jan  8  2012 wp-blog-header.php
-rw-r--r--. 1 apache apache     3522 Apr 10  2012 wp-comments-post.php
-rw-rw-rw-. 1 apache apache     3466 Jan 23 17:15 wp-config.php
-rw-r--r--. 1 apache apache     3177 Nov  1  2010 wp-config-sample.php
drwxr-xr-x. 7 apache apache     4096 Apr 24 20:15 wp-content
-rw-r--r--. 1 apache apache     2718 Sep 23  2012 wp-cron.php
drwxr-xr-x. 9 apache apache     4096 Dec 11  2012 wp-includes
-rw-r--r--. 1 apache apache     1997 Oct 23  2010 wp-links-opml.php
-rw-r--r--. 1 apache apache     2408 Oct 26  2012 wp-load.php
-rw-r--r--. 1 apache apache    29310 Nov 30  2012 wp-login.php
-rw-r--r--. 1 apache apache     7723 Sep 25  2012 wp-mail.php
-rw-r--r--. 1 apache apache     9899 Nov 22  2012 wp-settings.php
-rw-r--r--. 1 apache apache    18219 Sep 11  2012 wp-signup.php
-rw-r--r--. 1 apache apache     3700 Jan  8  2012 wp-trackback.php
-rw-r--r--. 1 apache apache     2719 Sep 11  2012 xmlrpc.php

I usually also manage any Apache configs related to wordpress in it's own wordpress.conf file under this directory,/etc/httpd/conf.d/`.

# wordpress.conf
Alias / "/var/www/wordpress/"
<Directory "/var/www/wordpress/">
Order Deny,Allow
Deny from all
#Allow from 127.0.0.1 192.168.1
Allow from all
AllowOverride all
</Directory>
#RewriteLog "/var/www/wordpress/rewrite.log"
#RewriteLogLevel 3

Best Answer

Related Solutions

CentOS – Resolving Write Permission Issues

Related Question