33

On Debian 9, installing default-jre creates a hidden directory /etc/.java. This is flagged as a warning while I run rkhunter. Looking up online, I found an old bug report against Debian. The bug was closed stating the sysadmin could configure rkhunter to ignore the directory.

Speaking simplistically from the point of view of operating system security, is it a good idea to have a hidden directory under /etc? Does it make security sense for rkhunter to look for and flag hidden files and directories under /etc? What's the recommended best practice here?

Edit 2019-05-29T02:42+00:00: What I mean to ask in the last question is if a hidden directory under /etc is a good idea from the point of view of "security usability". As in, it might be disconcerting for a sysadmin to find a hidden file under /etc and therefore could be bad security practice, especially from the point of view of a package maintainer.

eternaltyro
  • 817
  • 7
  • 16
  • 38
    Hidden directories don't have any security impact at all. The reason they are hidden is so that it doesn't fill the user directories with fluff they don't care about. Having a hidden directory in /etc is quite pointless, as I expect lots of config stuff to b ethere. –  May 28 '19 at 11:41
  • 52
    Whenever I see a question asking whether something is safe, I'm left wondering: *Safe against **what**?* – Marc.2377 May 29 '19 at 00:06
  • 3
    @Marc.2377 That's a very smart question. This question could be interpreted a number of ways, now that I think about it... – Radvylf Programs May 29 '19 at 01:50
  • 1
    Aliasing `ls` to `ls -A` can help here from a security usability perspective. – forest May 29 '19 at 03:14
  • 6
    @Marc.2377 Or equivalently, **What is your threat model?** ("Threat model" just being a fancy term for the things you're trying to protect against.) – jpmc26 May 29 '19 at 16:56
  • As there's no comment saying "hidden files are just ones with names having a full-stop "." for their first character" - the "hidden nature" is something we imbue on them based on the name, otherwise there is no difference. In closing: __Is having a directory under /etc safe?__ – Alec Teal May 30 '19 at 22:29
  • @AlecTeal that may be the case. But the full-stop is not completely meaningless. Somebody intended it to be hidden which is where the problem begins. If `/etc` is meant to hold config files any way, why bother hiding a directory with configuration when it's completely pointless, especially for a package like Java? I do get it's not particularly unsafe. But it's not just `Is having a directory under /etc safe?` – eternaltyro May 31 '19 at 07:13
  • @eternaltyro TL;DR because of the first sentence. If you really want you can imbue any symbol you like with whatever properties you like, but the OS and I will go on not caring. You make it sound like the perfect symbol which is apparently racist now (HOW? I thought it was like an "O" and a "K"?) apparently (I learned it diving?). – Alec Teal Jun 06 '19 at 15:29

2 Answers2

66

Yes, that's safe. There's nothing inherently insecure about having a hidden directory under /etc. The only reason rkhunter flags it is that it's uncommon for legitimate programs to do it, and when malware does it, it makes it less likely that you'd otherwise notice it.

Joseph Sible-Reinstate Monica
  • 7,110
  • 3
  • 21
  • 35
  • 2
    That makes sense. My question was more from the point of view of security usability. Wouldn't a hidden directory under `/etc` be discomforting for any sysadmin? – eternaltyro May 29 '19 at 02:38
  • 18
    @eternaltyro It would affect comfort, yes, but not security. – Mołot May 29 '19 at 07:33
  • 7
    @eternaltyro It would be discomforting *once*, then you look into it and discover it is legitimate. After that, it is no longer discomforting. – Stig Hemmer May 29 '19 at 09:21
  • 1
    If you felt really 'bad' about it and the program expected to look there, you could move the 'hidden' dot directory to a non-dot directory, and create a symlink from the hidden directory to the actual directory - then you would 'see' it, if that removed any discomfort... – Cinderhaze May 29 '19 at 14:34
  • 2
    @eternaltyro Discomfort and security have nothing to do with each other. An admin can be uncomfortable for any reason; an analysis of the risk is necessary to determine if something is secure. In this case, a known and accepted application created the directory so there is no appreciable risk. Malware and vulnerability scanners often flag things that pose no serious risk. It is the admin's job to review the results to determine whether each finding is a legitimate security concern. Whitelisting known-good applications is common and reasonable. – DoubleD May 30 '19 at 21:57
21

It is safe in the sense that no, it will not make the system unstable, nor will it make it vulnerable from a security standpoint.

That said, as MechMK1 points out, the only reason to use hidden directories is so that it doesn't fill the user directories with fluff they don't care about. The /etc directory, on the other hand is meant to contain such fluff, so I don't see why you'd want to hide it.

For this reason, it's not an expected action and rkhunter flags it as something suspicious that only malware would do. But you can totally do it too, if you so wish.

undo
  • 2,075
  • 2
  • 12
  • 18