[tex-live] updmap and /

Heiko Oberdiek oberdiek at uni-freiburg.de
Mon Mar 2 01:03:50 CET 2009


On Mon, Mar 02, 2009 at 12:47:39AM +0100, Reinhard Kotucha wrote:

> On 1 March 2009 Heiko Oberdiek wrote:
> 
>  > On Sun, Mar 01, 2009 at 06:21:35PM +0100, Lars Madsen wrote:
>  > 
>  > > I'm trying to figure out why our system is set like this, not
>  > > sure if it is own own installation script or if it is redhat.
>  > 
>  > Perhaps a "security feature", 
> 
> Please note the quotes. :)
> 
>  > it makes life for unauthorized access a little harder.
> 
> Maybe a little bit.  Only very few files have to be kept secret on a
> typical UNIX system.

There are many files, private files, for example.

> It doesn't make sense to be too paranoid.
> 
> Some time ago I did this (as root):
> 
>   chmod 700 /home/*
> 
> Looks reasonable at a first glance, right?  But it didn't work.
> 
> One of the reasons the most critical programs (Postfix, Apache,...)
> are so secure is that these programs do most of their work as
> unprivileged users rather than with root permissions.  
> 
> So, what's wrong with "chmod 700 /home/*"?

Nothing. ;-)

> If the /home/* directories are not executable by everyone, then Apache
> is not able to access the /home/*/public_html files.

Not everyone does have something inside public_html.
However the others have to enable executive permission, e.g.
  chmod 711 /home/user_with_public_html_files

But making it readable for others means that they can easily look
into the directory and perhaps can even read files that are meant
to be private.

> It doesn't make sense to be too restrictive.  And paranoia is a
> medical condition rather than an instrument to achieve security.

But you need paranoia for security, thus the art is finding
the right balance depending on the circumstances.

Yours sincerely
  Heiko <oberdiek at uni-freiburg.de>


More information about the tex-live mailing list