[tex-live] updmap and /
Heiko Oberdiek
oberdiek at uni-freiburg.de
Mon Mar 2 01:03:50 CET 2009
On Mon, Mar 02, 2009 at 12:47:39AM +0100, Reinhard Kotucha wrote:
> On 1 March 2009 Heiko Oberdiek wrote:
>
> > On Sun, Mar 01, 2009 at 06:21:35PM +0100, Lars Madsen wrote:
> >
> > > I'm trying to figure out why our system is set like this, not
> > > sure if it is own own installation script or if it is redhat.
> >
> > Perhaps a "security feature",
>
> Please note the quotes. :)
>
> > it makes life for unauthorized access a little harder.
>
> Maybe a little bit. Only very few files have to be kept secret on a
> typical UNIX system.
There are many files, private files, for example.
> It doesn't make sense to be too paranoid.
>
> Some time ago I did this (as root):
>
> chmod 700 /home/*
>
> Looks reasonable at a first glance, right? But it didn't work.
>
> One of the reasons the most critical programs (Postfix, Apache,...)
> are so secure is that these programs do most of their work as
> unprivileged users rather than with root permissions.
>
> So, what's wrong with "chmod 700 /home/*"?
Nothing. ;-)
> If the /home/* directories are not executable by everyone, then Apache
> is not able to access the /home/*/public_html files.
Not everyone does have something inside public_html.
However the others have to enable executive permission, e.g.
chmod 711 /home/user_with_public_html_files
But making it readable for others means that they can easily look
into the directory and perhaps can even read files that are meant
to be private.
> It doesn't make sense to be too restrictive. And paranoia is a
> medical condition rather than an instrument to achieve security.
But you need paranoia for security, thus the art is finding
the right balance depending on the circumstances.
Yours sincerely
Heiko <oberdiek at uni-freiburg.de>
More information about the tex-live
mailing list