From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E5DD4139083 for ; Thu, 14 Dec 2017 01:11:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B588DE0F25; Thu, 14 Dec 2017 01:10:55 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 51B28E0F10 for ; Thu, 14 Dec 2017 01:10:55 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id CF0E433BEAC for ; Thu, 14 Dec 2017 01:10:52 +0000 (UTC) Subject: Re: [gentoo-user] Why are these files restricted? To: gentoo-user@lists.gentoo.org References: <20171211011039.ezxodvs2lerl6jpf@matica.foolinux.mooo.com> From: Michael Orlitzky Message-ID: Date: Wed, 13 Dec 2017 20:10:46 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <20171211011039.ezxodvs2lerl6jpf@matica.foolinux.mooo.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Archives-Salt: 4f9a2051-ad83-414f-a5b8-5ce13f680d10 X-Archives-Hash: 94b1a82fb6432228186f5e5090b85459 On 12/10/2017 08:10 PM, Ian Zimmerman wrote: > $ for f in /etc/at/at.deny /etc/cron.hourly/0anacron > /etc/default/useradd ; do > ls -l $f ; qfile $f ; > done > -rw-r----- 1 root at 166 Dec 10 16:57 /etc/at/at.deny > sys-process/at (/etc/at/at.deny) > -rwxr-x--- 1 root root 392 Nov 4 21:04 /etc/cron.hourly/0anacron > sys-process/cronie (/etc/cron.hourly/0anacron) > -rw------- 1 root root 96 Aug 14 10:57 /etc/default/useradd > sys-apps/shadow (/etc/default/useradd) > > None of these seem sensitive to me, and restricting them like this looks > like a case of SBO. I realized that you meant "security by obscurity" after a while, but the first google result is "small bowel obstruction" =P It's probably just the principle of least privilege in play. If no one other than root needs to read those files, then no one other than root should be able to read those files. The at.deny and default/useradd files might be overkill, but I would still rather be safe than sorry. But for anacron: people are stupid enough to put passwords in there.