file permissions - insecure?

craptakular · 16 Jul 2009 at 22:15

Code:

drwxr-sr-x  9 dean media_write      4096 2009-07-02 10:44 24
drwxr-sr-x  8 dean media_write      4096 2009-06-30 17:02 
drwxr-sr-x  4 dean media_write      4096 2009-07-02 11:05
drwxr-sr-x  2 dean media_write      4096 2009-07-02 11:09 
drwxr-sr-x  3 dean media_write      4096 2009-07-02 11:09 
drwxr-sr-x  2 dean media_write      4096 2009-07-02 11:21 
drwxr-sr-x  4 dean media_write      4096 2009-07-13 22:06

Are these permissions for a storage drive insecure? I think what i have done is set the group permissions so that mediatomb can parse the data correctly and then stream them to my ps3.

My only concern is that I have done something insecure and will get hacked. My linux knowledge isn't great so hope I havent made my self wide open to attacks.

drwxr-sr-x is set throughout my /mnt/storage1 drive

tntcoder · 16 Jul 2009 at 22:35

Yer they look fine.

Stuff is only writeable by your user. So if your worried about security I wouldn't spend to much time focusing on your file perms.

Instead direct your efforts towards locking down server daemons running on your box, keeping everything patched, correct (non-default) config files and monitoring log files.

Keep things simple, don't having things like http and ftp daemons running unless you need them. I don't know what your using to stream stuff to your ps3, but say it has a remote vulnerability, your pwned. So firewall stuff of at your network egress point, this can be done by your router, simply by not forwarding ports.

There's no-end of stuff you can do to secure things further, but what im trying to say is your file permissions will have little to do with it. Unless you're giving write perms to everyone or something silly which you haven't.

One thing I will say is that you have execute permission set for the directories, which is fine and is required for directory listings. I wouldn't have execute perms set for files inside that directory though unless you specifically require them. It could cause problems if you have some kind of binary in there that could cause issues if executed by someone other than your own user.

craptakular · 16 Jul 2009 at 22:45

I have set samba up to be user access only with a password and set the folders up for 755.

After googling I gound these commands:

Code:

sudo addgroup pubusers
sudo mkdir /pub
sudo chgrp pubusers /pub
sudo chmod g=rwx /pub
sudo chmod g+s /pub

http://ubuntuforums.org/showthread.php?t=296330

in ftp it now sets the write permissions for each folder but as soon as it goes down to a file level, the file still is only rw and mediatomb cannot play it. I'm so close its unreal!!!

Samba is ok as its set to set everything to 755 I beleive. So I can transfer files over samba.

I am only running rtorrent, sabnzbd, samba, mediatomb and an ftp deamon, do i just drop the ftp deamon and am i golden if i just keep updating debian?

theheyes · 16 Jul 2009 at 23:03

Are you behind a firewall router?

craptakular · 16 Jul 2009 at 23:19

yes I am.

how do i setup to have files mount as 644 at the moment they are only set to rw which is where I think this is all going wrong when I try uploading viat ftp.

rw is set in fstab, just need to change it to 644 then I think im golden?

leezer3 · 17 Jul 2009 at 01:50

tntcoder said:
Yer they look fine.

Stuff is only writeable by your user. So if your worried about security I wouldn't spend to much time focusing on your file perms.

Instead direct your efforts towards locking down server daemons running on your box, keeping everything patched, correct (non-default) config files and monitoring log files.

Keep things simple, don't having things like http and ftp daemons running unless you need them. I don't know what your using to stream stuff to your ps3, but say it has a remote vulnerability, your pwned. So firewall stuff of at your network egress point, this can be done by your router, simply by not forwarding ports.

There's no-end of stuff you can do to secure things further, but what im trying to say is your file permissions will have little to do with it. Unless you're giving write perms to everyone or something silly which you haven't.

One thing I will say is that you have execute permission set for the directories, which is fine and is required for directory listings. I wouldn't have execute perms set for files inside that directory though unless you specifically require them. It could cause problems if you have some kind of binary in there that could cause issues if executed by someone other than your own user.

All these are well and good, but you're overlooking the most basic principle of good security- A good password

All the lockdowns in the world are no good if the root password is simple. A simple user password is nearly as bad too. I know this is a Microsoft page, but it explains the principles for creating a good password well-
http://www.microsoft.com/protect/yourself/password/create.mspx

-Leezer-