We currently have an auditor in. On reviewing permissions of our RC
scripts, he mentioned that it would be preferable to set the script
permissions to 550, instead of 555. What potential issues are there
with changing the permissions of my RC scripts? Would this be a valid
security measure, or would the system choke on startup?

On 9 Jul 2003, Keith Kris wrote:

> We currently have an auditor in. On reviewing permissions of our RC
> scripts, he mentioned that it would be preferable to set the script
> permissions to 550, instead of 555. What potential issues are there
> with changing the permissions of my RC scripts? Would this be a valid
> security measure, or would the system choke on startup?

It will probably be OK, but I'd be tempted to ask the auditor
to defend their position. I.e., what "bad" things will happen
if a normal (i.e., not root) user runs an rc script?

Personally, unless there's good reasons for doing so, I'd leave
the permissions of Sun supplied files as they are shipped.

--
Rich Teer, SCNA, SCSA

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-online.net

Keith Kris wrote:

> We currently have an auditor in. On reviewing permissions of our RC
> scripts, he mentioned that it would be preferable to set the script
> permissions to 550, instead of 555. What potential issues are there
> with changing the permissions of my RC scripts? Would this be a valid
> security measure, or would the system choke on startup?

As far as I can tell, the default for RC scripts is 744, which doesn't
open any security holes in my opinion.
Why not let your users read what these scripts do (except you're
paranoid ?

On the other hand, if you're concerned with security, ask your auditor
why he wants to let the whole group execute the scripts, and not let the
owner change it (with 550)?

Set them to 700, to fully satisfy security and usability needs.

Of course you know that I'm talking of the scripts in /etc/init.d, not
the symlinks in /etc/rc[0123456].d, which are always 'lrwxrwxrwx'.

Martin

We didn't pay for the audit, we're a government shop so uncle sam
requires it by law.

Brian Scanlan <singer@redbrick.dcu.ie> wrote in message news:<slrnbgohsh.h9.singer@Prodigy.redbrick.dcu.ie >...
> On Wed, 9 Jul 2003 Keith Kris <dejanews@keithkris.com> wrote:
> > We currently have an auditor in. On reviewing permissions of our RC
> > scripts, he mentioned that it would be preferable to set the script
> > permissions to 550, instead of 555. What potential issues are there
> > with changing the permissions of my RC scripts? Would this be a valid
> > security measure, or would the system choke on startup?
>
> I would expect no problems on startup with that permission change. It's
> valid enough, a rogue user could spot a problem with a user-modified
> startup script and gain unauthorised privledges. Probably not enough of
> a problem to justify the cost of an auditor if that's all they found
> though

On Wed, 9 Jul 2003 Martin Schoen <noreply@vamosphoto.de> wrote:
> Why not let your users read what these scripts do (except you're
> paranoid ?

Because a poorly written startup script could be vulnerable to a tmpfile
or similar vulnerability, allowing a non-privledged user to gain further
access to the system? Sure, I've never chmodded an init script 550, but
I can see how it potentially wards off some security holes.

--
"If you do boring, stupid monotonous work, chances are you'll end up boring,
stupid and monotonous."