Otdfbt

Why did Robert pick unworthy men for the White Cloaks?

If absolute velocity does not exist, how can we say a rocket accelerates in empty space?

Part of my house is inexplicably gone

Idiom for 'person who gets violent when drunk"

What does this line mean in Zelazny's The Courts of Chaos?

What is the language spoken in Babylon?

Harley Davidson clattering noise from engine, backfire and failure to start

When a class dynamically allocates itself at constructor, why does stack overflow happen instead of std::bad_alloc?

Approach sick days in feedback meeting

What class is best to play when a level behind the rest of the party?

Content Editor Web Part - SharePoint Online?

Can I attach a DC blower to intake manifold of my 150CC Yamaha FZS FI engine?

Which are the methodologies for interpreting Vedas?

Realistic, logical way for men with medieval-era weaponry to compete with much larger and physically stronger foes

Can a 40amp breaker be used safely and without issue with a 40amp device on 6AWG wire?

How to represent jealousy in a cute way?

Jam with honey & without pectin has a saucy consistency always

David slept with Bathsheba because she was pure?? What does that mean?

How can I find out about the game world without meta-influencing it?

Was the Lonely Mountain, where Smaug lived, a volcano?

The best in flight meal option for those suffering from reflux

Was planting UN flag on Moon ever discussed?

I sent an angry e-mail to my interviewers about a conflict at my home institution. Could this affect my application?

Must CPU have a GPU if motherboard provides display port (when no separate video card)?

Is having a hidden directory under /etc safe?

Looking for virus under LinuxHidden directory with 0x0d0x0aApache/Linux server, DoS attack from own IPInstall Metasploit under Cygwin?Directory traversal & default filesystem permissions (755) for web serverSecurity flaw while importing certificate?Is it safe to rm -rf an untrusted directory?Linux OS with encryption including hidden volumes?ClamAV findings under Debian 9: LibreOfficeMacros and PUA.Win.Exploit.CVE_2012_0110-1 - false positives?Is my PC safe after DSA-4371?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

33

On Debian 9, installing default-jre creates a hidden directory /etc/.java. This is flagged as a warning while I run rkhunter. Looking up online, I found an old bug report against Debian. The bug was closed stating the sysadmin could configure rkhunter to ignore the directory.

Speaking simplistically from the point of view of operating system security, is it a good idea to have a hidden directory under /etc? Does it make security sense for rkhunter to look for and flag hidden files and directories under /etc? What's the recommended best practice here?

Edit 2019-05-29T02:42+00:00: What I mean to ask in the last question is if a hidden directory under /etc is a good idea from the point of view of "security usability". As in, it might be disconcerting for a sysadmin to find a hidden file under /etc and therefore could be bad security practice, especially from the point of view of a package maintainer.

linux debian

share|improve this question

edited May 29 at 2:44

eternaltyro

asked May 28 at 11:18

eternaltyroeternaltyro

460413

• 
  
  
  

  
  38
  

  
  
  
  
  
  

  
  
  Hidden directories don't have any security impact at all. The reason they are hidden is so that it doesn't fill the user directories with fluff they don't care about. Having a hidden directory in /etc is quite pointless, as I expect lots of config stuff to b ethere.
  
  – MechMK1
  May 28 at 11:41
  

  
  
  
  


• 
  
  
  

  
  52
  

  
  
  
  
  
  

  
  
  Whenever I see a question asking whether something is safe, I'm left wondering: Safe against what?
  
  – Marc.2377
  May 29 at 0:06
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  @Marc.2377 That's a very smart question. This question could be interpreted a number of ways, now that I think about it...
  
  – Redwolf Programs
  May 29 at 1:50
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Aliasing ls to ls -A can help here from a security usability perspective.
  
  – forest
  May 29 at 3:14
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  @Marc.2377 Or equivalently, What is your threat model? ("Threat model" just being a fancy term for the things you're trying to protect against.)
  
  – jpmc26
  May 29 at 16:56
  
  

  
  
  
  

 | 
show 3 more comments

33

On Debian 9, installing default-jre creates a hidden directory /etc/.java. This is flagged as a warning while I run rkhunter. Looking up online, I found an old bug report against Debian. The bug was closed stating the sysadmin could configure rkhunter to ignore the directory.

Speaking simplistically from the point of view of operating system security, is it a good idea to have a hidden directory under /etc? Does it make security sense for rkhunter to look for and flag hidden files and directories under /etc? What's the recommended best practice here?

Edit 2019-05-29T02:42+00:00: What I mean to ask in the last question is if a hidden directory under /etc is a good idea from the point of view of "security usability". As in, it might be disconcerting for a sysadmin to find a hidden file under /etc and therefore could be bad security practice, especially from the point of view of a package maintainer.

linux debian

share|improve this question

edited May 29 at 2:44

eternaltyro

asked May 28 at 11:18

eternaltyroeternaltyro

460413

• 
  
  
  

  
  38
  

  
  
  
  
  
  

  
  
  Hidden directories don't have any security impact at all. The reason they are hidden is so that it doesn't fill the user directories with fluff they don't care about. Having a hidden directory in /etc is quite pointless, as I expect lots of config stuff to b ethere.
  
  – MechMK1
  May 28 at 11:41
  

  
  
  
  


• 
  
  
  

  
  52
  

  
  
  
  
  
  

  
  
  Whenever I see a question asking whether something is safe, I'm left wondering: Safe against what?
  
  – Marc.2377
  May 29 at 0:06
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  @Marc.2377 That's a very smart question. This question could be interpreted a number of ways, now that I think about it...
  
  – Redwolf Programs
  May 29 at 1:50
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Aliasing ls to ls -A can help here from a security usability perspective.
  
  – forest
  May 29 at 3:14
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  @Marc.2377 Or equivalently, What is your threat model? ("Threat model" just being a fancy term for the things you're trying to protect against.)
  
  – jpmc26
  May 29 at 16:56
  
  

  
  
  
  

 | 
show 3 more comments

On Debian 9, installing default-jre creates a hidden directory /etc/.java. This is flagged as a warning while I run rkhunter. Looking up online, I found an old bug report against Debian. The bug was closed stating the sysadmin could configure rkhunter to ignore the directory.

Speaking simplistically from the point of view of operating system security, is it a good idea to have a hidden directory under /etc? Does it make security sense for rkhunter to look for and flag hidden files and directories under /etc? What's the recommended best practice here?

Edit 2019-05-29T02:42+00:00: What I mean to ask in the last question is if a hidden directory under /etc is a good idea from the point of view of "security usability". As in, it might be disconcerting for a sysadmin to find a hidden file under /etc and therefore could be bad security practice, especially from the point of view of a package maintainer.

linux debian

share|improve this question

edited May 29 at 2:44

eternaltyro

asked May 28 at 11:18

eternaltyroeternaltyro

460413

share|improve this question

edited May 29 at 2:44

eternaltyro

asked May 28 at 11:18

eternaltyroeternaltyro

460413

share|improve this question

edited May 29 at 2:44

eternaltyro

asked May 28 at 11:18

eternaltyroeternaltyro

460413

asked May 28 at 11:18

eternaltyroeternaltyro

460413

asked May 28 at 11:18

eternaltyroeternaltyro

460413

2 Answers
2

active

oldest

votes

67

Yes, that's safe. There's nothing inherently insecure about having a hidden directory under /etc. The only reason rkhunter flags it is that it's uncommon for legitimate programs to do it, and when malware does it, it makes it less likely that you'd otherwise notice it.

share|improve this answer

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,54511019

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  That makes sense. My question was more from the point of view of security usability. Wouldn't a hidden directory under /etc be discomforting for any sysadmin?
  
  – eternaltyro
  May 29 at 2:38
  

  
  
  
  


• 
  
  
  

  
  18
  

  
  
  
  
  
  

  
  
  @eternaltyro It would affect comfort, yes, but not security.
  
  – Mołot
  May 29 at 7:33
  

  
  
  
  


• 
  
  
  

  
  7
  

  
  
  
  
  
  

  
  
  @eternaltyro It would be discomforting once, then you look into it and discover it is legitimate. After that, it is no longer discomforting.
  
  – Stig Hemmer
  May 29 at 9:21
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  If you felt really 'bad' about it and the program expected to look there, you could move the 'hidden' dot directory to a non-dot directory, and create a symlink from the hidden directory to the actual directory - then you would 'see' it, if that removed any discomfort...
  
  – Cinderhaze
  May 29 at 14:34
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @eternaltyro Discomfort and security have nothing to do with each other. An admin can be uncomfortable for any reason; an analysis of the risk is necessary to determine if something is secure. In this case, a known and accepted application created the directory so there is no appreciable risk. Malware and vulnerability scanners often flag things that pose no serious risk. It is the admin's job to review the results to determine whether each finding is a legitimate security concern. Whitelisting known-good applications is common and reasonable.
  
  – DoubleD
  May 30 at 21:57
  

  
  
  
  

add a comment | 

21

It is safe in the sense that no, it will not make the system unstable, nor will it make it vulnerable from a security standpoint.

That said, as MechMK1 points out, the only reason to use hidden directories is so that it doesn't fill the user directories with fluff they don't care about. The /etc directory, on the other hand is meant to contain such fluff, so I don't see why you'd want to hide it.

For this reason, it's not an expected action and rkhunter flags it as something suspicious that only malware would do. But you can totally do it too, if you so wish.

share|improve this answer

answered May 29 at 13:45

rahuldottechrahuldottech

8601613

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210923%2fis-having-a-hidden-directory-under-etc-safe%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

67

Yes, that's safe. There's nothing inherently insecure about having a hidden directory under /etc. The only reason rkhunter flags it is that it's uncommon for legitimate programs to do it, and when malware does it, it makes it less likely that you'd otherwise notice it.

share|improve this answer

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,54511019

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  That makes sense. My question was more from the point of view of security usability. Wouldn't a hidden directory under /etc be discomforting for any sysadmin?
  
  – eternaltyro
  May 29 at 2:38
  

  
  
  
  


• 
  
  
  

  
  18
  

  
  
  
  
  
  

  
  
  @eternaltyro It would affect comfort, yes, but not security.
  
  – Mołot
  May 29 at 7:33
  

  
  
  
  


• 
  
  
  

  
  7
  

  
  
  
  
  
  

  
  
  @eternaltyro It would be discomforting once, then you look into it and discover it is legitimate. After that, it is no longer discomforting.
  
  – Stig Hemmer
  May 29 at 9:21
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  If you felt really 'bad' about it and the program expected to look there, you could move the 'hidden' dot directory to a non-dot directory, and create a symlink from the hidden directory to the actual directory - then you would 'see' it, if that removed any discomfort...
  
  – Cinderhaze
  May 29 at 14:34
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @eternaltyro Discomfort and security have nothing to do with each other. An admin can be uncomfortable for any reason; an analysis of the risk is necessary to determine if something is secure. In this case, a known and accepted application created the directory so there is no appreciable risk. Malware and vulnerability scanners often flag things that pose no serious risk. It is the admin's job to review the results to determine whether each finding is a legitimate security concern. Whitelisting known-good applications is common and reasonable.
  
  – DoubleD
  May 30 at 21:57
  

  
  
  
  

add a comment | 

67

Yes, that's safe. There's nothing inherently insecure about having a hidden directory under /etc. The only reason rkhunter flags it is that it's uncommon for legitimate programs to do it, and when malware does it, it makes it less likely that you'd otherwise notice it.

share|improve this answer

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,54511019

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  That makes sense. My question was more from the point of view of security usability. Wouldn't a hidden directory under /etc be discomforting for any sysadmin?
  
  – eternaltyro
  May 29 at 2:38
  

  
  
  
  


• 
  
  
  

  
  18
  

  
  
  
  
  
  

  
  
  @eternaltyro It would affect comfort, yes, but not security.
  
  – Mołot
  May 29 at 7:33
  

  
  
  
  


• 
  
  
  

  
  7
  

  
  
  
  
  
  

  
  
  @eternaltyro It would be discomforting once, then you look into it and discover it is legitimate. After that, it is no longer discomforting.
  
  – Stig Hemmer
  May 29 at 9:21
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  If you felt really 'bad' about it and the program expected to look there, you could move the 'hidden' dot directory to a non-dot directory, and create a symlink from the hidden directory to the actual directory - then you would 'see' it, if that removed any discomfort...
  
  – Cinderhaze
  May 29 at 14:34
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @eternaltyro Discomfort and security have nothing to do with each other. An admin can be uncomfortable for any reason; an analysis of the risk is necessary to determine if something is secure. In this case, a known and accepted application created the directory so there is no appreciable risk. Malware and vulnerability scanners often flag things that pose no serious risk. It is the admin's job to review the results to determine whether each finding is a legitimate security concern. Whitelisting known-good applications is common and reasonable.
  
  – DoubleD
  May 30 at 21:57
  

  
  
  
  

add a comment | 

Yes, that's safe. There's nothing inherently insecure about having a hidden directory under /etc. The only reason rkhunter flags it is that it's uncommon for legitimate programs to do it, and when malware does it, it makes it less likely that you'd otherwise notice it.

share|improve this answer

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,54511019

share|improve this answer

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,54511019

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,54511019

answered May 28 at 13:24

Joseph SibleJoseph Sible

3,54511019

21

It is safe in the sense that no, it will not make the system unstable, nor will it make it vulnerable from a security standpoint.

That said, as MechMK1 points out, the only reason to use hidden directories is so that it doesn't fill the user directories with fluff they don't care about. The /etc directory, on the other hand is meant to contain such fluff, so I don't see why you'd want to hide it.

For this reason, it's not an expected action and rkhunter flags it as something suspicious that only malware would do. But you can totally do it too, if you so wish.

share|improve this answer

answered May 29 at 13:45

rahuldottechrahuldottech

8601613

add a comment | 

21

It is safe in the sense that no, it will not make the system unstable, nor will it make it vulnerable from a security standpoint.

That said, as MechMK1 points out, the only reason to use hidden directories is so that it doesn't fill the user directories with fluff they don't care about. The /etc directory, on the other hand is meant to contain such fluff, so I don't see why you'd want to hide it.

For this reason, it's not an expected action and rkhunter flags it as something suspicious that only malware would do. But you can totally do it too, if you so wish.

share|improve this answer

answered May 29 at 13:45

rahuldottechrahuldottech

8601613

add a comment | 

It is safe in the sense that no, it will not make the system unstable, nor will it make it vulnerable from a security standpoint.

That said, as MechMK1 points out, the only reason to use hidden directories is so that it doesn't fill the user directories with fluff they don't care about. The /etc directory, on the other hand is meant to contain such fluff, so I don't see why you'd want to hide it.

For this reason, it's not an expected action and rkhunter flags it as something suspicious that only malware would do. But you can totally do it too, if you so wish.

share|improve this answer

answered May 29 at 13:45

rahuldottechrahuldottech

8601613

share|improve this answer

answered May 29 at 13:45

rahuldottechrahuldottech

8601613

answered May 29 at 13:45

rahuldottechrahuldottech

8601613

answered May 29 at 13:45

rahuldottechrahuldottech

8601613