Secure File Permissions

Who Privacy

On shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:

$ who
username1 ttyp0    Jan 25 03:17   (
username2  ttyp6    Jan 25 03:35   (

This is quite dangerous for user privacy, so we recommend disabling world read access

# chmod o-rwx /var/run/utmp /var/log/wtmp*
$ who
who: /var/run/utmp: Permission denied

Now users cannot see other IPs so easily. The downside is that commands like uptime break also:

$ uptime
uptime: /var/run/utmp: Permission denied

There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. ( and

Hiding logs

We want to hide our logs from prying eyes:

# chmod -R o-rwx /var/log/ /var/www/logs/
# chown -R _smtpd:_dovecot /etc/mail
# chmod -R o-rx /etc/mail

Hiding home folders

Make sure to check file permissions for folders in /home:

# chmod o-rx /home/botnow
# usermod -G znc botnow
# usermod -G znc _identd
# chown -R znc:znc /home/znc
# chmod -R o-rx /home/znc/home/znc/.znc

Hiding /var

Hide data related to botnow:

# chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/

Hiding /etc

# cd /etc
# chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf

SUID Binaries

Check for any unexpected SUID binaries with:

# find / -perm -4000

WARNING: If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server.

WARNING: If you installed LaTeX, this is the new setuid root program:

-rwsr-x---  1 root  _dbus  - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper

To prevent this:

# chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper                     
$ ls -lh /usr/local/libexec/dbus-daemon-launch-helper                     
-rwxr-x---  1 root  _dbus  73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper

Checking Group Permissions

  1. Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.
  2. As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.

Check /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:

# chmod o-r /etc/doas.conf

In /etc/ssh/sshd_config, turn off X11 forwarding