Secure File Permissions

Who Privacy

On shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:

$ who
username1 ttyp0    Jan 25 03:17   (192.168.0.1)
username2  ttyp6    Jan 25 03:35   (10.0.0.1)

This is quite dangerous for user privacy, so we recommend disabling world read access

$ doas chmod o-rwx /var/run/utmp /var/log/wtmp*
$ who
who: /var/run/utmp: Permission denied

Now users cannot see other IPs so easily. The downside is that commands like uptime break also:

$ uptime
uptime: /var/run/utmp: Permission denied

There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. (marc.info and nabble.com)

Hiding logs

We want to hide our logs from prying eyes:

# chmod -R o-rwx /var/log/ /var/www/logs/
# chown -R root:_dovecot /etc/mail
# chmod -R o-rx /etc/mail

Hiding home folders

Make sure to check file permissions for folders in /home:

# chmod o-rx /home/botnow
# usermod -G znc botnow
# usermod -G znc _identd
# chown -R znc:znc /home/znc
# chmod -R o-rx /home/znc/home/znc/.znc

Hiding /var

Hide data related to botnow:

# chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/

Hiding /etc

# cd /etc
# chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf

SUID Binaries

Check for any unexpected SUID binaries with:

# find / -perm -4000
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/auth/login_chpass
/usr/libexec/auth/login_lchpass
/usr/libexec/auth/login_passwd
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/sbin/ping
/sbin/ping6
/sbin/shutdown

WARNING: If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server.

Checking Group Permissions

  1. Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.

Check /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:

$ doas chmod o-r /etc/doas.conf

In /etc/ssh/sshd_config, turn off X11 forwarding