Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    File Permissions and security(snort?)

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Amarth
      last edited by

      I really hope this does not come across as flamebait because its anything but that.

      In my years of working with *nix-and-the-like systems one of the first security measures is the simple DAC level that is old POSIX file perms. Yes, Im aware of the arguments back and forth but perhaps sometimes "karma" just gets the better of me. Of course in this case it could simply be my ignorance of the pfsense(freebsd) system.

      I am finding files such as:

      –--rwxrwx  1 root  wheel  8849 Jan 26 19:01 /usr/local/bin/create-sidmap.pl
      ----rwxrwx  1 root  wheel  2293 Jan 26 19:01 /usr/local/bin/snort_rename.pl
      ----rwxrwx  1 root  wheel  93116 Jan 26 19:01 /usr/local/bin/oinkmaster.pl

      which at a glance is very disconcerting to me. While I have yet to (if ever have the time) look into the various files I have found with similar permissions and their potential impact I can not help but think "That just looks really bad.".

      Sorry if I have opened a priorly dried can of worms and I really intend no "discomfort". I am simply questioning why such permissions are needed and frankly it just looks bad if for no other reason than a VERY easy place to b0rk a system if someone were to gain any level of shell access.

      Or maybe someone just did a bitwise shift unintentionally... =)

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That's probably from someone using the wrong mode in the package's xml manifest, it's supposed to be the mode passed to chmod but at one point it may have been mistaken for a umask, so that might explain why it's flipped.

        Doesn't really matter so much in the context of pfSense though, since the webgui runs as root (by necessity), and it's not intended to be a multi-user system.

        If you can get a shell there are way worse things you could do to the box. We already tell people to consider anyone with shell access as essentially having root (even though there are some things they can't do…)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          Amarth
          last edited by

          Thanks for the info. I figured as much regarding the interface running as root etc. Just bothered me to see the perms. Suppose I could always just clean them up myself manually/crond.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.