Date: Wed, 29 Jan 2020 11:25:00 +0100 From: Gary Jennejohn <gljennjohn@gmail.com> To: Gordon Bergling via freebsd-hackers <freebsd-hackers@freebsd.org> Cc: Gordon Bergling <gbergling@googlemail.com> Subject: Re: More secure permissions for /root and /etc/sysctl.conf Message-ID: <20200129112500.368610e8@ernst.home> In-Reply-To: <20200129105325.600cddc1@ernst.home> References: <20200129092631.GA22505@lion.0xfce3.net> <20200129105325.600cddc1@ernst.home>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 29 Jan 2020 10:53:25 +0100 Gary Jennejohn <gljennjohn@gmail.com> wrote: > On Wed, 29 Jan 2020 10:26:31 +0100 > Gordon Bergling via freebsd-hackers <freebsd-hackers@freebsd.org> wrote: > > > Hi, > > > > I recently stumbled upon the default world readable permissons of /root and > > /etc/sysctl.conf. I think that it would be more secure to reduce the default > > permission for /root to 0700 and to 0600 for /etc/sysctl.conf. > > > > I prepared a differtial for the proposed change: > > https://reviews.freebsd.org/D23392 > > > > What do you think? > > > > I think that changing the permissions on / would defeat the purpose of > /etc/devd.conf and then adding users to certain groups in /etc/group > to make devices usable without having to escalate to root rights. > I decided to actually test this case, since I thought I should back up my opinion with some facts. So, I did chmod 700 / and rebooted. I wasn't able to login as a normal user because an error was raised about not being able to find the root for audit (or similar wording). After changing root back to 755 and remounting /home I could log in. Your idea may work if all filesystems are in one big partition, I can't really say, but on my system /, /var, /usr and /home are separate partitions/disks. -- Gary Jennejohn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200129112500.368610e8>