Got a quick question for folks regarding whether a directory should be considered a 'file' when it comes down to setting permissions. I'd asked this question in an email to the FSO and hadn't heard anything. A good poster child for this is GEN001800 ["All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive" ]. If KDE is installed on this system then /etc/skel will hold a directory '.kde'. If permissions on this directory are set to 0644 or less, and a new user is created, they will not be able to log in graphically using KDE. The routine that created the users directory from the /etc/skel files copied the permissions exactly, just changed file ownership. So the user if prevented from accessing their own $HOME/.kde directory.
Another example would be GEN001280 ["Manual page files must have mode 0644 or less permissive"]. The U_Redhat_5-V1R1_STIG_Manual-xccdf.xml file (August 2012) references this, but I don't see it in the benchmark file.
For GEN001800 the permissions for subdirectories needs to be at least 0744, and for GEN001280 subdirectories need 0755.
If I'm being overly picky that is OK, I just would to know how others are interpreting these line items.
Thanks...
-Rob
On Wednesday, November 28, 2012 08:29:49 PM Robert Sanders wrote:
Got a quick question for folks regarding whether a directory should be considered a 'file' when it comes down to setting permissions. I'd asked this question in an email to the FSO and hadn't heard anything. A good poster child for this is GEN001800 ["All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive" ]. If KDE is installed on this system then /etc/skel will hold a directory '.kde'. If permissions on this directory are set to 0644 or less, and a new user is created, they will not be able to log in graphically using KDE. The routine that created the users directory from the /etc/skel files copied the permissions exactly, just changed file ownership. So the user if prevented from accessing their own $HOME/.kde directory.
Another example would be GEN001280 ["Manual page files must have mode 0644 or less permissive"]. The U_Redhat_5-V1R1_STIG_Manual-xccdf.xml file (August 2012) references this, but I don't see it in the benchmark file.
For GEN001800 the permissions for subdirectories needs to be at least 0744, and for GEN001280 subdirectories need 0755.
If I'm being overly picky that is OK, I just would to know how others are interpreting these line items.
Files are not directories. Their permissions must be different because they have different meanings. I think its safe to say that if a file in /etc/skel needs to be world readable, then any subdirectory should be world readable and searchable.
Steve
Files are not directories. Their permissions must be different because they have different meanings. I think its safe to say that if a file in /etc/skel needs to be world readable, then any subdirectory should be world readable and searchable.
Steve
I agree with your take on the intent. I'd always been taught that 'everything' is a file in *nix, just that some files are more special than others :), using the higher order bits of the mode to indicate what kind of 'special'.
Looking at the benchmark I wasn't sure if the id used to collect the files in /etc/skel (oval:mil.disa.fso.rhel.obj:13300) distinguished bewteen regular files and directories. This same object is used for checking the owner/group restrictions as well as the permissions. GEN001820 (allowed user owners) explicitly calls out for checking directories, whereas GEN001830 (allowed group owner) just references the files themselves. I don't have a box up right now with the SCC checker running to see what happens to either man pages (except that I don't see GEN001280 in the benchmark) or if KDE is installed.
-Rob
scap-security-guide@lists.fedorahosted.org