Secure File Permissions
Who Privacy
On shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:
$ who
username1 ttyp0 Jan 25 03:17 (192.168.0.1)
username2 ttyp6 Jan 25 03:35 (10.0.0.1)
This is quite dangerous for user privacy, so we recommend disabling world read access
$ doas chmod o-rwx /var/run/utmp /var/log/wtmp*
$ who
who: /var/run/utmp: Permission denied
Now users cannot see other IPs so easily. The downside is that commands like uptime break also:
$ uptime
uptime: /var/run/utmp: Permission denied
There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. (marc.info and nabble.com)
Hiding logs
We want to hide our logs from prying eyes:
# chmod -R o-rwx /var/log/ /var/www/logs/
# chown -R _smtpd:_dovecot /etc/mail
# chmod -R o-rx /etc/mail
Hiding home folders
Make sure to check file permissions for folders in /home:
# chmod o-rx /home/botnow
# usermod -G znc botnow
# usermod -G znc _identd
# chown -R znc:znc /home/znc
# chmod -R o-rx /home/znc/home/znc/.znc
Hiding /var
Hide data related to botnow:
# chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/
Hiding /etc
# cd /etc
# chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf
SUID Binaries
Check for any unexpected SUID binaries with:
# find / -perm -4000
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/auth/login_chpass
/usr/libexec/auth/login_lchpass
/usr/libexec/auth/login_passwd
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/sbin/ping
/sbin/ping6
/sbin/shutdown
WARNING: If you see any other binaries, then watch out# You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server.
WARNING: If you installed LaTeX, this is the new setuid root program:
-rwsr-x--- 1 root _dbus - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper
To prevent this:
$ doas chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper
$ ls -lh /usr/local/libexec/dbus-daemon-launch-helper
-rwxr-x--- 1 root _dbus 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper
Checking Group Permissions
Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.
As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.
Check /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:
$ doas chmod o-r /etc/doas.conf
In /etc/ssh/sshd_config, turn off X11 forwarding