[CentOS] directory permissions set to 600?

[Gordon Messmer]

On 07/20/2010 08:20 PM, Stephen Harris wrote:
> On Tue, Jul 20, 2010 at 05:45:36PM -0600, Ski Dawg wrote:
>> Hello all,
>>
>> Today, I ran across a directory in /etc/ on one of our servers whose
>> permissions where set to 600 (drw-------) with root being the owner.
>
> Heheheheh.  That machine is so broken.  Even 0700 would be unbelievably
> broken

Why?

Take a look in /etc, and I promise that you'll find entries that are 
0600 and 0700.  You might even notice that the permissions on 
/etc/shadow are unusually restricted.  Do you believe the permissions on 
/etc/shadow are also broken?

>> The directory is for the firewall package for the server, so it is not
>> something malicious. Checking some other systems, they also have this
>> directory and the permissions on those servers is also 600, so it
>> isn't just a messed up permissions on this one machine.
>
> Sounds like some messed up wanna-be security person who doesn't grok Unix.

Perhaps I am more charitable.  I'm inclined to believe that it's the 
result of a typo in the installation script that tends to go unnoticed 
because the root user isn't locked out by the error.

> Basically nothing non-root running will work properly on these machines.
> And if everything is designed to run as root then the architect has
> shown other issues.  "root" is the user of last recourse on a properly
> managed server.

There are some things (setting iptables entries for instance) that only 
the root user is allowed to do.  While daemons should not run as root if 
they don't need to, these configuration files aren't for a daemon. 
Furthermore, as authentication can typically only be done by root, 
you'll find that there are quite a few very secure packages which still 
run as the root user.  Take sshd for instance.  It has a nice design 
that puts a lot of work in a process that doesn't run as root, but the 
parent process still does.