# Permissions problems in /etc

## CoderMan

I have a remote Gentoo server, and unfortunately I cannot do full backups for various reasons (such as bandwidth cost) so I rsync a few directories with info I don't want to lose. I do it all with a specially-created "backup" account, and use POSIX ACLs to give read permission (and default read permission) to directories and files I want backed up remotely.

I wanted to save all my /etc configuration files because there I so many I have specially customized. However, when I applied the extra permissions to /etc I nearly locked myself permanently out of the system, because apparently sshd is designed to disable access to all keys that suddenly receive less restrictive permissions. (Probably a good security feature.) Fortunately I still had a connection open and could revert everything back.

Anyway, before I go messing with /etc permissions again, I was wondering if there are any other "bombshell" directories (like /etc/sshd) that blow your system to heck if you mess with the permissions.

For the curious, here are the log errors for sshd:

```
Dec 14 01:08:21 [snip] sshd[19679]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dec 14 01:08:21 [snip] sshd[19679]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @

Dec 14 01:08:21 [snip] sshd[19679]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dec 14 01:08:21 [snip] sshd[19679]: error: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.

Dec 14 01:08:21 [snip] sshd[19679]: error: It is recommended that your private key files are NOT accessible by others.

Dec 14 01:08:21 [snip] sshd[19679]: error: This private key will be ignored.

Dec 14 01:08:21 [snip] sshd[19679]: error: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key

Dec 14 01:08:21 [snip] sshd[19679]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key

Dec 14 01:08:21 [snip] sshd[19679]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dec 14 01:08:21 [snip] sshd[19679]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @

Dec 14 01:08:21 [snip] sshd[19679]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dec 14 01:08:21 [snip] sshd[19679]: error: Permissions 0640 for '/etc/ssh/ssh_host_dsa_key' are too open.

Dec 14 01:08:21 [snip] sshd[19679]: error: It is recommended that your private key files are NOT accessible by others.

Dec 14 01:08:21 [snip] sshd[19679]: error: This private key will be ignored.

Dec 14 01:08:21 [snip] sshd[19679]: error: bad permissions: ignore key: /etc/ssh/ssh_host_dsa_key

Dec 14 01:08:21 [snip] sshd[19679]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key

Dec 14 01:08:21 [snip] sshd[19679]: Disabling protocol version 2. Could not load host key

Dec 14 01:08:21 [snip] sshd[19679]: sshd: no hostkeys available -- exiting.

```

----------

## dermund

Hello CoderMan,

 *CoderMan wrote:*   

> I have a remote Gentoo server, and unfortunately I cannot do full backups for various reasons (such as bandwidth cost) so I rsync a few directories with info I don't want to lose.

 

Is it impossible to give the system a backup partition or a second harddrive?

 *CoderMan wrote:*   

> Anyway, before I go messing with /etc permissions again, I was wondering if there are any other "bombshell" directories (like /etc/sshd) that blow your system to heck if you mess with the permissions. 

 

I cannot think of a bombshell now, that behaves like ssh in this case. But this depends on the permission set applied.

For security reasons, it is a bad idea to change the default permissions of /etc. You propably don't want (/etc/shadow, SSL certicficates, GnuPG keys ...) to be world readable.

I don't understand why you want to use a "backup" user without root privileges to backup your files?

/dermund

----------

## CoderMan

 *dermund wrote:*   

> Hello CoderMan,
> 
>  *CoderMan wrote:*   I have a remote Gentoo server, and unfortunately I cannot do full backups for various reasons (such as bandwidth cost) so I rsync a few directories with info I don't want to lose. 
> 
> Is it impossible to give the system a backup partition or a second harddrive?

 

Unfortunately, the system came pre-partitioned, and I could only afford a one-harddrive package.

 *Quote:*   

> 
> 
>  *CoderMan wrote:*   Anyway, before I go messing with /etc permissions again, I was wondering if there are any other "bombshell" directories (like /etc/sshd) that blow your system to heck if you mess with the permissions.  
> 
> I cannot think of a bombshell now, that behaves like ssh in this case. But this depends on the permission set applied.
> ...

 

Thank you for the response, though I think you slightly misunderstand. I'm not giving world permissions to any file. I'm using ACLs to give read-only permissions to a special "backup" account.

 *Quote:*   

> 
> 
> I don't understand why you want to use a "backup" user without root privileges to backup your files?
> 
> /dermund

 

I could backup everything using the root account, but then if I made a mistake in my remote backup script, I might accidentally change or delete the files instead of just backing them up. If I use a special "backup" account that has read-only access to the files, then I cannot accidentally modify anything I am backing up.

----------

## dermund

 *CoderMan wrote:*   

> I'm not giving world permissions to any file. I'm using ACLs to give read-only permissions to a special "backup" account. 

 

Ok, I see. I must admit I never used ACL's before  :Wink:  So you say sshd is really 'seeing' the ACL's permissions if you try to login over ssh as root?

I thought sshd would just take the standard unix file permissions.

----------

## CoderMan

 *dermund wrote:*   

>  *CoderMan wrote:*   I'm not giving world permissions to any file. I'm using ACLs to give read-only permissions to a special "backup" account.  
> 
> Ok, I see. I must admit I never used ACL's before  So you say sshd is really 'seeing' the ACL's permissions if you try to login over ssh as root?
> 
> I thought sshd would just take the standard unix file permissions.

 

Well, the log file states:

```
Dec 14 01:08:21 [snip] sshd[19679]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dec 14 01:08:21 [snip] sshd[19679]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @

Dec 14 01:08:21 [snip] sshd[19679]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dec 14 01:08:21 [snip] sshd[19679]: error: Permissions 0640 for '/etc/ssh/ssh_host_dsa_key' are too open. 
```

Since 0640 is hardly "too open" in and of itself, one must believe sshd is using some more complicated check behind the scenes.

----------

## 1clue

Have a local cron job run as root to back up the /etc directory as an archive to some unlikely spot and an unlikely name not containing the name 'etc'.

If your system is critical for your organization and contains sensitive data, encrypt the archive so it's only readable by the remote backup system.

Then give the archive the permissions you want, lock the backup directory permissions just for the remote backup user and periodically grab the archive remotely.

I learned long ago to not mess with /etc permissions.  There is always something you didn't take into account.

I hope you know to stay out of /dev altogether, and /proc and /sys.  /var has some things you might want to back up and things you almost certainly don't.

Mysql databases and similar don't necessarily come out as working if the database is being written to while the backup comes through.

----------

## dermund

 *CoderMan wrote:*   

> Since 0640 is hardly "too open" in and of itself, one must believe sshd is using some more complicated check behind the scenes.

 

So, does that mean '/etc/ssh/ssh_host_dsa_key' really had the unix file permissions 0640 at that moment, or not?

Do ext. ACL's change the standard unix file permissions?

----------

