Securing file permissions

The default permissions set by a Linux distro during the install are fairly good. Still, we can apply some less permissive permissions to keep non-root users from accessing administrator utilities/files. If you choose to apply this option, we you remove world read/write/execute access from a large number of system utilities/files that we feel only administrators should have access to.

Here is a list of some file permissions that should be made to make your system more secure... Please see the manual page for chown and chmod!


Some of these groups may not exist on your system you can either create them, or just use root in place. Also some of these files may not exist on your system. Big deal : P


Note: Linux-Mandrake users can choose high security
settings inside DrakConf to have the settings below.


/bin/ root.root 711
/boot/ root.root 700
/dev/ root.root 711
/dev/audio* root.audio 600
/dev/dsp* root.audio 600
/etc/ root.adm 711
/etc/conf.modules root.adm 640
/etc/cron.daily/ root.adm 750
/etc/cron.hourly/ root.adm 750
/etc/cron.monthly/ root.adm 750
/etc/cron.weekly/ root.adm 750
/etc/crontab root.adm 640
/etc/dhcpcd/ root.adm 750
/etc/dhcpcd/* root.adm 640
/etc/esd.conf root.audio 640
/etc/ftpaccess root.adm 640
/etc/ftpconversions root.adm 640
/etc/ftpgroups root.adm 640
/etc/ftphosts root.adm 640
/etc/ftpusers root.adm 640
/etc/gettydefs root.adm 640
/etc/hosts.allow root.adm 640
/etc/hosts.deny root.adm 640
/etc/hosts.equiv root.adm 640
/etc/inetd.conf root.adm 640
/etc/rc.d/init.d/ root.adm 750
/etc/rc.d/init.d/syslog root.adm 740
/etc/inittab root.adm 640
/etc/ld.so.conf root.adm 640
/etc/lilo.conf root.adm 600
/etc/modules.conf root.adm 640
/etc/motd root.adm 644
/etc/printcap root.lp 640
/etc/profile root.root 644
/etc/rc.d/ root.adm 640
/etc/securetty root.adm 640
/etc/sendmail.cf root.adm 640
/etc/shutdown.allow root.root 600
/etc/ssh_config root.root 644
/etc/ssh_host_key root.adm 640
/etc/ssh_host_key.pub root.adm 644
/etc/sshd_config root.adm 640
/etc/syslog.conf root.adm 640
/etc/updatedb.conf root.adm 640
/home/ root.adm 751
/home/* current 700
/lib/ root.adm 751
/mnt/ root.adm 750
/root/ root.root 700
/sbin/ root.adm 751
/tmp/ root.root 1777
/usr/ root.adm 751
/usr/* root.adm 751
/usr/X11R6/ root.xgrp 751
/usr/bin/ root.adm 751
/usr/bin/* root.root 755
/usr/sbin/ root.adm 751
/usr/sbin/* root.root 755
/var/ root.root 755
/var/log/ root.root 711
/var/log/* root.root 600
/var/spool/mail/ root.mail 771

Dig deeper into this subject because in a lot of cases this is what stands between you and you're box getting 0wn3d.