From owner-freebsd-hackers@freebsd.org Wed Jan 29 15:15:48 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E0A0F1F2E42 for ; Wed, 29 Jan 2020 15:15:48 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4876W76BjKz3CYw for ; Wed, 29 Jan 2020 15:15:47 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: by mail-qk1-x735.google.com with SMTP id q15so10892494qki.2 for ; Wed, 29 Jan 2020 07:15:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=U9PkgequjbiUCpSetRyiwNWCyC0F11s0uguvxkmzjzM=; b=EIdOzNOF9IXyFVcLXlT+fvne2SjVQgb/wYx/JR3MuBnWWdXRTc71IwcuUmJKZTNm/r blwaNqRVn1t0RptDp+/nEGzzydOFxGZMzws8tsad97sVZ6LP0NTfbakaRcART0ao128T lwsvIOqwmeishSWYZu5+HFMCx4k2yASEh+3Br3rK0+EZAmZFtVj4gkngslCcw8IVH8QN RmGxc1DioZyA0suTSCu2Wi2h5UVnX+K4nVOyBS1MMQxlk6Hbng6SWCSdqPGS0BCF8Lvv 1d+eDGhvwTMVvZbhofxKsW+DEHb9BlrAxXbNRDTWZwbgZERNlfETXIeiQawJI9xvl16Y SxNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U9PkgequjbiUCpSetRyiwNWCyC0F11s0uguvxkmzjzM=; b=BJNM0C0bGd1xP/XleYN8rNwTKYm2QqjB7Q5DtvzZRcAE0rhi4rzNPDS7zxGbjEZH6u QJVTNoT81Vnr0HKA/dx92Q3+iQfwh93ao3UWjmvT33YeRTs+Lwl+RmBZm8y3BCO5rbGZ FTpvdfllcDnc9/vjAi/h5aozEfCK6Ey52yGce4V3beyu1i188VSnkEwzKmR/Q2Lv8Wof 58nIdFraZA7yWsbgFbjaY3j3Bm1dA/3hnVvzFbILgxj3fTZ4y61Dfk3XDPRARLde78vT ZhQSEn3E1wjF6Fp93SVRjE2XS+uPZwZ5QoNaE85tBKMXT45yicpOSbvci34E1QB4+Nx3 aKlw== X-Gm-Message-State: APjAAAUBmBd1d0+hVAbhkmNnMdPSUxUfWuT9w8cgk0ZqiSL6F/Eja7F7 Mi2TXBpRR+fz0B9S0OU8ay4Uqc7EMKKnkZH3Eis= X-Google-Smtp-Source: APXvYqzcl/8kGK3TpILB3vjDSgJlCKX+mBIhA6AJYSzFRo5vUcrMlcXx4VfWcI3wafvCv91o47N7c14ZIM881JxW7nw= X-Received: by 2002:a37:9a58:: with SMTP id c85mr111212qke.478.1580310946882; Wed, 29 Jan 2020 07:15:46 -0800 (PST) MIME-Version: 1.0 References: <20200129092631.GA22505@lion.0xfce3.net> In-Reply-To: <20200129092631.GA22505@lion.0xfce3.net> From: Ryan Stone Date: Wed, 29 Jan 2020 10:15:35 -0500 Message-ID: Subject: Re: More secure permissions for /root and /etc/sysctl.conf To: Gordon Bergling Cc: FreeBSD Hackers Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4876W76BjKz3CYw X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=EIdOzNOF; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of rysto32@gmail.com designates 2607:f8b0:4864:20::735 as permitted sender) smtp.mailfrom=rysto32@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[5.3.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; IP_SCORE(0.00)[ip: (-9.31), ipnet: 2607:f8b0::/32(-2.03), asn: 15169(-1.78), country: US(-0.05)]; FREEMAIL_TO(0.00)[googlemail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2020 15:15:48 -0000 On Wed, Jan 29, 2020 at 4:26 AM Gordon Bergling via freebsd-hackers wrote: > > Hi, > > I recently stumbled upon the default world readable permissons of /root and > /etc/sysctl.conf. I think that it would be more secure to reduce the default > permission for /root to 0700 and to 0600 for /etc/sysctl.conf. I don't see the point in making this change to sysctl.conf. sysctls are readable by any user. Hiding the contents of sysctl.conf does not prevent unprivileged users from seeing what values have been changed from the defaults; it merely makes it more tedious.