From: "Ed Greshko" <Ed.Greshko@xxxxxxxxxxx>
Sent: Tuesday, 2008, December 23 16:30
jdow wrote:
Directory /etc/ssh - should be drwxr-xr-x. The world must have the
rights to read and enter the directory but not write to it.
Most of the files should be -rw-------. Only root can read or write
them. None should have x permission. And ssh_config and the .pub
files should be -rw-r--r--.
Nobody but root should be able to write to that directory under any
circumstance or your system is open to exploitation.
Each user ~/.ssh directory should be drwxr-xr-x. Each file should be
-rw-r--r--. (This is probably wrong. The directory probably should be
drwx------ and the files should be -rw-------. But under RedHat and
Fedora home directories are drwx------, so people who do not belong
can't get to the directory in the first place.
Yes, your second statement is "more" correct. The ~/.ssh directory
should be drwx------.
While, as you point out, it won't make a difference in cases where one
doesn't alter the defaults of user creation. In cases where you assign
groups or add users to various groups it could become a factor. So as
not to tax ones memory I feel it is good practice to advise drwx------.
<<jdow
The main take away should be that while compacency often works rigor
is better. After installing the rigor one can turn off the SELinux "stuff"
if
that is needed and still be relatively stage.
{^_-}
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
