# Secure File Permissions

## Who Privacy

On shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:

    $ who
    username1 ttyp0    Jan 25 03:17   (192.168.0.1)
    username2  ttyp6    Jan 25 03:35   (10.0.0.1)


This is quite dangerous for user privacy, so we recommend disabling world read access

    $ doas chmod o-rwx /var/run/utmp /var/log/wtmp*
    $ who
    who: /var/run/utmp: Permission denied


Now users cannot see other IPs so easily. The downside is that commands like uptime break also:

    $ uptime
    uptime: /var/run/utmp: Permission denied


There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. ([marc.info](https://marc.info/?l=openbsd-tech&m=148089896932537&w=2) and [[nabble.com](/http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html))
There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. ([marc.info](https://marc.info/?l=openbsd-tech&m=148089896932537&w=2) and [[nabble.com](/http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html))

## Hiding logs

We want to hide our logs from prying eyes:

    # chmod -R o-rwx /var/log/ /var/www/logs/
    # chown -R _smtpd:_dovecot /etc/mail
    # chmod -R o-rx /etc/mail


## Hiding home folders

Make sure to check file permissions for folders in /home:

    # chmod o-rx /home/botnow
    # usermod -G znc botnow
    # usermod -G znc _identd
    # chown -R znc:znc /home/znc
    # chmod -R o-rx /home/znc/home/znc/.znc


## Hiding /var

Hide data related to botnow:

    # chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/


## Hiding /etc

    # cd /etc
    # chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf


## SUID Binaries

Check for any unexpected [SUID binaries](/openbsd/setuid) with:

    # find / -perm -4000
    /usr/bin/chfn
    /usr/bin/chpass
    /usr/bin/chsh
    /usr/bin/doas
    /usr/bin/lpr
    /usr/bin/lprm
    /usr/bin/passwd
    /usr/bin/su
    /usr/libexec/auth/login_chpass
    /usr/libexec/auth/login_lchpass
    /usr/libexec/auth/login_passwd
    /usr/libexec/lockspool
    /usr/libexec/ssh-keysign
    /usr/sbin/authpf
    /usr/sbin/authpf-noip
    /usr/sbin/pppd
    /usr/sbin/traceroute
    /usr/sbin/traceroute6
    /sbin/ping
    /sbin/ping6
    /sbin/shutdown


**WARNING**: If you see any other binaries, then watch out# You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server. 

**WARNING**: If you installed LaTeX, this is the new setuid root program:

    -rwsr-x---  1 root  _dbus  - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper


To prevent this:

    $ doas chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper                     
    $ ls -lh /usr/local/libexec/dbus-daemon-launch-helper                     
    -rwxr-x---  1 root  _dbus  73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper


## Checking Group Permissions

# Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.

# As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.

Check /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:

    $ doas chmod o-r /etc/doas.conf


In /etc/ssh/sshd_config, turn off X11 forwarding