• View
• Edit
• History
• Print

Secure File Permissions

WARNING: Many of these changes break OpenBSD software in unpredictable ways. You may want to avoid applying any of these settings until we have further time to review these changes.

Who Privacy

On shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:

$ who
username1 ttyp0    Jan 25 03:17   (192.168.0.1)
username2  ttyp6    Jan 25 03:35   (10.0.0.1)

This is bad for user privacy. However, there is no decent fix for it.

One suggested method is to disable world read access of /var/run/utmp and /var/log/wtmp*. However, this has serious consequences which will break other software in unpredictable ways:

WARNING: This breaks other software in unpredictable ways.

# chmod o-rwx /var/run/utmp /var/log/wtmp*
$ who
who: /var/run/utmp: Permission denied

Now users cannot see other IPs so easily. The downside is that commands like uptime break also:

$ uptime
uptime: /var/run/utmp: Permission denied

There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. (marc.info and nabble.com)

Hiding logs

We want to hide our logs from prying eyes:

# chmod -R o-rwx /var/log/ /var/www/logs/
# chown -R _smtpd:_dovecot /etc/mail
# find /etc/mail ! -path /etc/mail -exec chmod o-rwx '{}' +

Hiding home folders

Make sure to check file permissions for folders in /home:

# chmod o-rx /home/botnow
# usermod -G znc botnow
# usermod -G znc _identd
# chown -R znc:znc /home/znc
# chmod -R o-rx /home/znc/home/znc/.znc

Hiding /var

Hide data related to botnow:

# chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/

Hiding /etc

# cd /etc
# chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf

SUID Binaries

Check for any unexpected SUID binaries with:

# find / -perm -4000
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/auth/login_chpass
/usr/libexec/auth/login_lchpass
/usr/libexec/auth/login_passwd
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/sbin/ping
/sbin/ping6
/sbin/shutdown

WARNING: If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server.

WARNING: If you installed LaTeX, this is the new setuid root program:

-rwsr-x---  1 root  _dbus  - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper

To prevent this:

# chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper                     
$ ls -lh /usr/local/libexec/dbus-daemon-launch-helper                     
-rwxr-x---  1 root  _dbus  73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper

Checking Group Permissions

1. Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.
2. As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.

Check /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:

# chmod o-r /etc/doas.conf

In /etc/ssh/sshd_config, turn off X11 forwarding