From Fedora Project Wiki

Revision as of 17:18, 18 June 2015 by Kurtseifried (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Have secure by default permissions for configuration and log files

Proposed change

All configuration files (e.g. files in /etc/) and all log files (e.g. files in /var/log/) must not be set world-readable unless there is a functional reason to do so. By default, configuration files should be chmod 600 or 0640 and log files should be chmod 0600. This is due to a continuing number of security issues with world readable files that contain sensitive information (e.g. passwords and access tokens or logged usernames and commands for example).

Rationale

The number of security issues created by lax permissions on configuration and log files has resulted in a number of security issues exploitable by local users. E.g.:

CVEs for configuration file permissions

CVEs for log file permissions

Please note that the above lists are by no means a complete listing of the security flaws that have resulted from lax permissions.