Ttdfjt

How do photons get into the eyes?

How to express a term of multiplication

What can plausibly explain many of my very long and low-tech bridges?

2.8 is missing the Carve option in the Boolean Modifier

Why only the fundamental frequency component is said to give useful power?

How to make horizontal space between a dot and a text equal to horizontal space between the dot of numerical label of numbered list and its item?

How were concentration and extermination camp guards recruited?

siunitx error: Invalid numerical input

When conversion from Integer to Single may lose precision

Etymology of 'calcit(r)are'?

How to generate random points without duplication?

How bad would a partial hash leak be, realistically?

Bent spoke design wheels — feasible?

Russian equivalents of "no love lost"

Translating 'Liber'

Why is the application of an oracle function not a measurement?

Deformation of rectangular plot

Strange symbol for two functions

Should an arbiter claim draw at a K+R vs K+R endgame?

What LISP compilers and interpreters were available for 8-bit machines?

What can cause the front wheel to lock up when going over a small bump?

Movie about a boy who was born old and grew young

Can an Eldritch Knight use Action Surge and thus Arcane Charge even when surprised?

Secure offsite backup, even in the case of hacker root access

Is having a hidden directory under /etc safe?

Looking for virus under LinuxHidden directory with 0x0d0x0aApache/Linux server, DoS attack from own IPInstall Metasploit under Cygwin?Directory traversal & default filesystem permissions (755) for web serverSecurity flaw while importing certificate?Is it safe to rm -rf an untrusted directory?Linux OS with encryption including hidden volumes?ClamAV findings under Debian 9: LibreOfficeMacros and PUA.Win.Exploit.CVE_2012_0110-1 - false positives?Is my PC safe after DSA-4371?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

33

On Debian 9, installing default-jre creates a hidden directory /etc/.java. This is flagged as a warning while I run rkhunter. Looking up online, I found an old bug report against Debian. The bug was closed stating the sysadmin could configure rkhunter to ignore the directory.

Speaking simplistically from the point of view of operating system security, is it a good idea to have a hidden directory under /etc? Does it make security sense for rkhunter to look for and flag hidden files and directories under /etc? What's the recommended best practice here?

Edit 2019-05-29T02:42+00:00: What I mean to ask in the last question is if a hidden directory under /etc is a good idea from the point of view of "security usability". As in, it might be disconcerting for a sysadmin to find a hidden file under /etc and therefore could be bad security practice, especially from the point of view of a package maintainer.

linux debian

share|improve this question

edited May 29 at 2:44

eternaltyro

asked May 28 at 11:18

eternaltyroeternaltyro

460413

• 
  
  
  

  
  37
  

  
  
  
  
  
  

  
  
  Hidden directories don't have any security impact at all. The reason they are hidden is so that it doesn't fill the user directories with fluff they don't care about. Having a hidden directory in /etc is quite pointless, as I expect lots of config stuff to b ethere.
  
  – MechMK1
  May 28 at 11:41
  

  
  
  
  


• 
  
  
  

  
  51
  

  
  
  
  
  
  

  
  
  Whenever I see a question asking whether something is safe, I'm left wondering: Safe against what?
  
  – Marc.2377
  May 29 at 0:06
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  @Marc.2377 That's a very smart question. This question could be interpreted a number of ways, now that I think about it...
  
  – Redwolf Programs
  May 29 at 1:50
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Aliasing ls to ls -A can help here from a security usability perspective.
  
  – forest
  May 29 at 3:14
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  @Marc.2377 Or equivalently, What is your threat model? ("Threat model" just being a fancy term for the things you're trying to protect against.)
  
  – jpmc26
  May 29 at 16:56
  
  

  
  
  
  

 | 
show 2 more comments

33

On Debian 9, installing default-jre creates a hidden directory /etc/.java. This is flagged as a warning while I run rkhunter. Looking up online, I found an old bug report against Debian. The bug was closed stating the sysadmin could configure rkhunter to ignore the directory.

Speaking simplistically from the point of view of operating system security, is it a good idea to have a hidden directory under /etc? Does it make security sense for rkhunter to look for and flag hidden files and directories under /etc? What's the recommended best practice here?

Edit 2019-05-29T02:42+00:00: What I mean to ask in the last question is if a hidden directory under /etc is a good idea from the point of view of "security usability". As in, it might be disconcerting for a sysadmin to find a hidden file under /etc and therefore could be bad security practice, especially from the point of view of a package maintainer.

linux debian

share|improve this question

edited May 29 at 2:44

eternaltyro

asked May 28 at 11:18

eternaltyroeternaltyro

460413

• 
  
  
  

  
  37
  

  
  
  
  
  
  

  
  
  Hidden directories don't have any security impact at all. The reason they are hidden is so that it doesn't fill the user directories with fluff they don't care about. Having a hidden directory in /etc is quite pointless, as I expect lots of config stuff to b ethere.
  
  – MechMK1
  May 28 at 11:41
  

  
  
  
  


• 
  
  
  

  
  51
  

  
  
  
  
  
  

  
  
  Whenever I see a question asking whether something is safe, I'm left wondering: Safe against what?
  
  – Marc.2377
  May 29 at 0:06
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  @Marc.2377 That's a very smart question. This question could be interpreted a number of ways, now that I think about it...
  
  – Redwolf Programs
  May 29 at 1:50
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Aliasing ls to ls -A can help here from a security usability perspective.
  
  – forest
  May 29 at 3:14
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  @Marc.2377 Or equivalently, What is your threat model? ("Threat model" just being a fancy term for the things you're trying to protect against.)
  
  – jpmc26
  May 29 at 16:56
  
  

  
  
  
  

 | 
show 2 more comments

On Debian 9, installing default-jre creates a hidden directory /etc/.java. This is flagged as a warning while I run rkhunter. Looking up online, I found an old bug report against Debian. The bug was closed stating the sysadmin could configure rkhunter to ignore the directory.

Speaking simplistically from the point of view of operating system security, is it a good idea to have a hidden directory under /etc? Does it make security sense for rkhunter to look for and flag hidden files and directories under /etc? What's the recommended best practice here?

Edit 2019-05-29T02:42+00:00: What I mean to ask in the last question is if a hidden directory under /etc is a good idea from the point of view of "security usability". As in, it might be disconcerting for a sysadmin to find a hidden file under /etc and therefore could be bad security practice, especially from the point of view of a package maintainer.

linux debian

share|improve this question

edited May 29 at 2:44

eternaltyro

asked May 28 at 11:18

eternaltyroeternaltyro

460413

share|improve this question

edited May 29 at 2:44

eternaltyro

asked May 28 at 11:18

eternaltyroeternaltyro

460413

share|improve this question

edited May 29 at 2:44

eternaltyro

asked May 28 at 11:18

eternaltyroeternaltyro

460413

asked May 28 at 11:18

eternaltyroeternaltyro

460413

asked May 28 at 11:18

eternaltyroeternaltyro

460413

2 Answers
2

active

oldest

votes

66

Yes, that's safe. There's nothing inherently insecure about having a hidden directory under /etc. The only reason rkhunter flags it is that it's uncommon for legitimate programs to do it, and when malware does it, it makes it less likely that you'd otherwise notice it.

share|improve this answer

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,5241919

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  That makes sense. My question was more from the point of view of security usability. Wouldn't a hidden directory under /etc be discomforting for any sysadmin?
  
  – eternaltyro
  May 29 at 2:38
  

  
  
  
  


• 
  
  
  

  
  18
  

  
  
  
  
  
  

  
  
  @eternaltyro It would affect comfort, yes, but not security.
  
  – Mołot
  May 29 at 7:33
  

  
  
  
  


• 
  
  
  

  
  7
  

  
  
  
  
  
  

  
  
  @eternaltyro It would be discomforting once, then you look into it and discover it is legitimate. After that, it is no longer discomforting.
  
  – Stig Hemmer
  May 29 at 9:21
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  If you felt really 'bad' about it and the program expected to look there, you could move the 'hidden' dot directory to a non-dot directory, and create a symlink from the hidden directory to the actual directory - then you would 'see' it, if that removed any discomfort...
  
  – Cinderhaze
  May 29 at 14:34
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @eternaltyro Discomfort and security have nothing to do with each other. An admin can be uncomfortable for any reason; an analysis of the risk is necessary to determine if something is secure. In this case, a known and accepted application created the directory so there is no appreciable risk. Malware and vulnerability scanners often flag things that pose no serious risk. It is the admin's job to review the results to determine whether each finding is a legitimate security concern. Whitelisting known-good applications is common and reasonable.
  
  – DoubleD
  May 30 at 21:57
  

  
  
  
  

add a comment | 

20

It is safe in the sense that no, it will not make the system unstable, nor will it make it vulnerable from a security standpoint.

That said, as MechMK1 points out, the only reason to use hidden directories is so that it doesn't fill the user directories with fluff they don't care about. The /etc directory, on the other hand is meant to contain such fluff, so I don't see why you'd want to hide it.

For this reason, it's not an expected action and rkhunter flags it as something suspicious that only malware would do. But you can totally do it too, if you so wish.

share|improve this answer

answered May 29 at 13:45

rahuldottechrahuldottech

8501613

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210923%2fis-having-a-hidden-directory-under-etc-safe%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

66

Yes, that's safe. There's nothing inherently insecure about having a hidden directory under /etc. The only reason rkhunter flags it is that it's uncommon for legitimate programs to do it, and when malware does it, it makes it less likely that you'd otherwise notice it.

share|improve this answer

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,5241919

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  That makes sense. My question was more from the point of view of security usability. Wouldn't a hidden directory under /etc be discomforting for any sysadmin?
  
  – eternaltyro
  May 29 at 2:38
  

  
  
  
  


• 
  
  
  

  
  18
  

  
  
  
  
  
  

  
  
  @eternaltyro It would affect comfort, yes, but not security.
  
  – Mołot
  May 29 at 7:33
  

  
  
  
  


• 
  
  
  

  
  7
  

  
  
  
  
  
  

  
  
  @eternaltyro It would be discomforting once, then you look into it and discover it is legitimate. After that, it is no longer discomforting.
  
  – Stig Hemmer
  May 29 at 9:21
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  If you felt really 'bad' about it and the program expected to look there, you could move the 'hidden' dot directory to a non-dot directory, and create a symlink from the hidden directory to the actual directory - then you would 'see' it, if that removed any discomfort...
  
  – Cinderhaze
  May 29 at 14:34
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @eternaltyro Discomfort and security have nothing to do with each other. An admin can be uncomfortable for any reason; an analysis of the risk is necessary to determine if something is secure. In this case, a known and accepted application created the directory so there is no appreciable risk. Malware and vulnerability scanners often flag things that pose no serious risk. It is the admin's job to review the results to determine whether each finding is a legitimate security concern. Whitelisting known-good applications is common and reasonable.
  
  – DoubleD
  May 30 at 21:57
  

  
  
  
  

add a comment | 

66

Yes, that's safe. There's nothing inherently insecure about having a hidden directory under /etc. The only reason rkhunter flags it is that it's uncommon for legitimate programs to do it, and when malware does it, it makes it less likely that you'd otherwise notice it.

share|improve this answer

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,5241919

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  That makes sense. My question was more from the point of view of security usability. Wouldn't a hidden directory under /etc be discomforting for any sysadmin?
  
  – eternaltyro
  May 29 at 2:38
  

  
  
  
  


• 
  
  
  

  
  18
  

  
  
  
  
  
  

  
  
  @eternaltyro It would affect comfort, yes, but not security.
  
  – Mołot
  May 29 at 7:33
  

  
  
  
  


• 
  
  
  

  
  7
  

  
  
  
  
  
  

  
  
  @eternaltyro It would be discomforting once, then you look into it and discover it is legitimate. After that, it is no longer discomforting.
  
  – Stig Hemmer
  May 29 at 9:21
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  If you felt really 'bad' about it and the program expected to look there, you could move the 'hidden' dot directory to a non-dot directory, and create a symlink from the hidden directory to the actual directory - then you would 'see' it, if that removed any discomfort...
  
  – Cinderhaze
  May 29 at 14:34
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @eternaltyro Discomfort and security have nothing to do with each other. An admin can be uncomfortable for any reason; an analysis of the risk is necessary to determine if something is secure. In this case, a known and accepted application created the directory so there is no appreciable risk. Malware and vulnerability scanners often flag things that pose no serious risk. It is the admin's job to review the results to determine whether each finding is a legitimate security concern. Whitelisting known-good applications is common and reasonable.
  
  – DoubleD
  May 30 at 21:57
  

  
  
  
  

add a comment | 

Yes, that's safe. There's nothing inherently insecure about having a hidden directory under /etc. The only reason rkhunter flags it is that it's uncommon for legitimate programs to do it, and when malware does it, it makes it less likely that you'd otherwise notice it.

share|improve this answer

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,5241919

share|improve this answer

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,5241919

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,5241919

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,5241919

20

It is safe in the sense that no, it will not make the system unstable, nor will it make it vulnerable from a security standpoint.

That said, as MechMK1 points out, the only reason to use hidden directories is so that it doesn't fill the user directories with fluff they don't care about. The /etc directory, on the other hand is meant to contain such fluff, so I don't see why you'd want to hide it.

For this reason, it's not an expected action and rkhunter flags it as something suspicious that only malware would do. But you can totally do it too, if you so wish.

share|improve this answer

answered May 29 at 13:45

rahuldottechrahuldottech

8501613

add a comment | 

20

It is safe in the sense that no, it will not make the system unstable, nor will it make it vulnerable from a security standpoint.

That said, as MechMK1 points out, the only reason to use hidden directories is so that it doesn't fill the user directories with fluff they don't care about. The /etc directory, on the other hand is meant to contain such fluff, so I don't see why you'd want to hide it.

For this reason, it's not an expected action and rkhunter flags it as something suspicious that only malware would do. But you can totally do it too, if you so wish.

share|improve this answer

answered May 29 at 13:45

rahuldottechrahuldottech

8501613

add a comment | 

It is safe in the sense that no, it will not make the system unstable, nor will it make it vulnerable from a security standpoint.

That said, as MechMK1 points out, the only reason to use hidden directories is so that it doesn't fill the user directories with fluff they don't care about. The /etc directory, on the other hand is meant to contain such fluff, so I don't see why you'd want to hide it.

For this reason, it's not an expected action and rkhunter flags it as something suspicious that only malware would do. But you can totally do it too, if you so wish.

share|improve this answer

answered May 29 at 13:45

rahuldottechrahuldottech

8501613

share|improve this answer

answered May 29 at 13:45

rahuldottechrahuldottech

8501613

answered May 29 at 13:45

rahuldottechrahuldottech

8501613

answered May 29 at 13:45

rahuldottechrahuldottech

8501613