From nobody@FreeBSD.org  Thu Oct 24 06:16:31 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 071C237B401
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 24 Oct 2002 06:16:31 -0700 (PDT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BCAE743E42
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 24 Oct 2002 06:16:30 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.6/8.12.6) with ESMTP id g9ODGU7R063348
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 24 Oct 2002 06:16:30 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.6/8.12.6/Submit) id g9ODGUex063347;
	Thu, 24 Oct 2002 06:16:30 -0700 (PDT)
Message-Id: <200210241316.g9ODGUex063347@www.freebsd.org>
Date: Thu, 24 Oct 2002 06:16:30 -0700 (PDT)
From: Annihilator <annihilator_sc@hotmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Default permissions of some files under /etc
X-Send-Pr-Version: www-1.0

>Number:         44433
>Category:       conf
>Synopsis:       Default permissions of some files under /etc
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 24 06:20:01 PDT 2002
>Closed-Date:    Thu Oct 24 06:46:08 PDT 2002
>Last-Modified:  Thu Oct 24 11:30:05 PDT 2002
>Originator:     Annihilator
>Release:        
>Organization:
SawMan's Consortium
>Environment:
FreeBSD router.pilar 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Sat Oct 12 01:02:55 CEST 2002     root@sarah.pilar:/usr/src/sys/compile/ROUTER  i386
>Description:
Default permissions on certain system configuration files in the /etc hierarchy are, in my opinion, too weak. Users have no need to access these files which, after all, contain configuration information that may be used against the system. The files are:
ssh/sshd_config
crontab
exports
ftpusers
ipf.rules
ipnat.rules
ipsec.conf (not 100% sure about this one)
newsyslog.conf
nsmb.conf
periodic.conf
syslog.conf
>How-To-Repeat:

>Fix:
'chmod 600' the said files.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: fanf 
State-Changed-When: Thu Oct 24 06:42:34 PDT 2002 
State-Changed-Why:  
Security through obscurity is no security at all. If your legitimate 
users cause trouble the correct fix is non-technical. If an external 
attacker gets a shell on the machine you are already doomed. The 
contents of these files can be worked out by observing the behaviour 
of the system. Users need to be able to see the contents in order 
to debug problems without bothering the sysadmin, and the sysadmin 
should not have to be root to be reminded of the contents of the files. 

This is not a bug. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=44433 

From: "Annihilator" <annihilator_sc@hotmail.com>
To: <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: Re: conf/44433: Default permissions of some files under /etc
Date: Thu, 24 Oct 2002 20:27:12 +0200

 > The contents of these files can be worked out by observing the behaviour
 > of the system.
 
 I disagree. I mentioned those files in particular because there IS NO way
 that the user can deduce all their content, short of monitoring the system
 24-7 (and even then only for certain files).
 
 > Users need to be able to see the contents in order
 > to debug problems without bothering the sysadmin
 
 Not those files. There's absolutely nothing in there for local users to see,
 or debug.
 
 > and the sysadmin should not have to be root to be reminded of the contents
 > of the files.
 
 The sysadmin is most likely in the wheel group, therefore setting the mod to
 660 where appropriate would yield the needed result.
 
 Annihilator
>Unformatted:
