Secure File Permissions

Who Privacy

On shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:

$ who
username1 ttyp0    Jan 25 03:17   (
username2  ttyp6    Jan 25 03:35   (

This is quite dangerous for user privacy, so we recommend disabling world read access

$ doas chmod o-rwx /var/run/utmp /var/log/wtmp*
$ who
who: /var/run/utmp: Permission denied

Now users cannot see other IPs so easily. The downside is that commands like uptime break also:

$ uptime
uptime: /var/run/utmp: Permission denied

There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. ( and

Hiding logs

We want to hide our logs from prying eyes:

# chmod -R o-rwx /var/log/ /var/www/logs/
# chown -R root:_dovecot /etc/mail
# chmod -R o-rx /etc/mail

Hiding home folders

Make sure to check file permissions for folders in /home:

# chmod o-rx /home/botnow
# usermod -G znc botnow
# usermod -G znc _identd
# chown -R znc:znc /home/znc
# chmod -R o-rx /home/znc/home/znc/.znc

Hiding /var

Hide data related to botnow:

# chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/

Hiding /etc

# cd /etc
# chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf

SUID Binaries

Check for any unexpected SUID binaries with:

# find / -perm -4000

WARNING: If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server.

Checking Group Permissions

  1. Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.

Check /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:

$ doas chmod o-r /etc/doas.conf

In /etc/ssh/sshd_config, turn off X11 forwarding