File Permissions and security(snort?)
I really hope this does not come across as flamebait because its anything but that.
In my years of working with *nix-and-the-like systems one of the first security measures is the simple DAC level that is old POSIX file perms. Yes, Im aware of the arguments back and forth but perhaps sometimes "karma" just gets the better of me. Of course in this case it could simply be my ignorance of the pfsense(freebsd) system.
I am finding files such as:
–--rwxrwx 1 root wheel 8849 Jan 26 19:01 /usr/local/bin/create-sidmap.pl
----rwxrwx 1 root wheel 2293 Jan 26 19:01 /usr/local/bin/snort_rename.pl
----rwxrwx 1 root wheel 93116 Jan 26 19:01 /usr/local/bin/oinkmaster.pl
which at a glance is very disconcerting to me. While I have yet to (if ever have the time) look into the various files I have found with similar permissions and their potential impact I can not help but think "That just looks really bad.".
Sorry if I have opened a priorly dried can of worms and I really intend no "discomfort". I am simply questioning why such permissions are needed and frankly it just looks bad if for no other reason than a VERY easy place to b0rk a system if someone were to gain any level of shell access.
Or maybe someone just did a bitwise shift unintentionally... =)
That's probably from someone using the wrong mode in the package's xml manifest, it's supposed to be the mode passed to chmod but at one point it may have been mistaken for a umask, so that might explain why it's flipped.
Doesn't really matter so much in the context of pfSense though, since the webgui runs as root (by necessity), and it's not intended to be a multi-user system.
If you can get a shell there are way worse things you could do to the box. We already tell people to consider anyone with shell access as essentially having root (even though there are some things they can't do…)
Thanks for the info. I figured as much regarding the interface running as root etc. Just bothered me to see the perms. Suppose I could always just clean them up myself manually/crond.