On 2017-06-28 10:05 AM, Lennart Sorensen wrote:
On Tue, Jun 27, 2017 at 07:53:02PM -0400, Kevin Cozens via talk wrote:
You may also want to "chmod 711 /etc", FWIW.
How well does that work out? So regular users (and services not running as root) can't resolve dns anymore (can't read nsswitch.conf or resolv.conf). That sounds inconvinient.
It works out well. I've been doing it for years. It seems some people somehow misread or misunderstood the chmod. I meant "chmod" and definitely not "chmod -R" as I think some people chose to interpret it. It will inconvenience someone needing to do something on the machine where they have to look at some file in /etc. They will typically to su to root first or use sudo. The main idea is that it limits some of the casual poking around on the machine that some non-root, non-staff users of the machine may want to do. It won't do much to slow down some system cracker who manages to illegally gain access to a system. BTW, I liked that comment about temporarily changing perms on /tmp just to mess with the heads of some users. :) -- Cheers! Kevin. http://www.ve3syb.ca/ |"Nerds make the shiny things that distract Owner of Elecraft K2 #2172 | the mouth-breathers, and that's why we're | powerful!" #include <disclaimer/favourite> | --Chris Hardwick