Bug 67092
Summary: | The default file permissions for /etc/sysconfig/firewall are 644 (-rw-r--r--), exposing firewall rules. | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | gary |
Component: | firewall-config | Assignee: | Harald Hoyer <harald> |
Status: | CLOSED WONTFIX | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 7.1 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-03-10 15:04:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
gary
2002-06-19 21:55:32 UTC
I did not consider that as a security risk. Besides that, a real firewall should not have ordinary user access.. And for those, who care, just chmod 600.. My organization has a dedicated firewall that protects systems on our internal network from systems on external networks. However, I thought it was a best practice to not necessarily trust your entire internal network. Therefore, on my server, I decided to set up a packet-filtering firewall to provide another layer of security. There are ordinary users on this system and if I hadn't noticed the 644 permissions (before I started) on the /etc/sysconfig/firewall file, these users could have discovered the server's firewall rules. So I am going to have to disagree with you about this not being a security risk. It seems that the default permissions should be secure whether or not there are ordinary users on the system. If you had a system with no other users, would you want /etc/shadow to have default permissions of 644? The permissions of sensitive files are just one additional layer of security that I think systems should have regardless of whether there are ordinary users or not. Dropping priority - if the firewall is only secure because people dont know what is in it then its not clear its a good firewall) Still wants fixing though deprecated |