Date: Wed, 29 Jan 2020 07:50:57 -0800 From: Cy Schubert <Cy.Schubert@cschubert.com> To: hackers@freebsd.org, David Wolfskill <david@catwhisker.org>, Gordon Bergling <gbergling@googlemail.com>, Wojciech Puchar <wojtek@puchar.net> Cc: freebsd-hackers@freebsd.org Subject: Re: More secure permissions for /root and /etc/sysctl.conf Message-ID: <81E5B24A-BC03-4018-BED9-177071DE702A@cschubert.com> In-Reply-To: <20200129120434.GM1270@albert.catwhisker.org> References: <20200129120434.GM1270@albert.catwhisker.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On January 29, 2020 4:04:34 AM PST, David Wolfskill <david@catwhisker.org> wrote: >On Wed, Jan 29, 2020 at 10:26:31AM +0100, Gordon Bergling via >freebsd-hackers wrote: >> Hi, >> >> I recently stumbled upon the default world readable permissons of >/root and >> /etc/sysctl.conf. I think that it would be more secure to reduce the >default >> permission for /root to 0700 and to 0600 for /etc/sysctl.conf. >> >> I prepared a differtial for the proposed change: >> https://reviews.freebsd.org/D23392 >> >> What do you think? >> >> Best regards, >> >> Gordon >> ... > >On Wed, Jan 29, 2020 at 12:41:30PM +0100, Wojciech Puchar wrote: >> ... >> fully agree. i do it manually every time i build new system to create >> tarfiles >> .... > >For counterpoint, as well as a reminder of the "tools, not policy" >catchphrase, I disagree, as I believe that doing so would increase the >frequency of a need to escalate privilege merely to read (e.g.) >configuration information that is not particularly "secret." > >For example, I have encountered systems where the administrator had >/etc/rc.conf not-world-readable; I was needing to obtain root privilege >way too often just to read the file... thus, for merely testing a new >rc.d script (in a mode where it would merely report what it would have >otherwise done). I submit that this does rather the opposite of >"enhancing" security. > >I have no objection to providing a knob to adjust such a thing for a >local configuration, and folks who want it can select it, while those >who don't, need not do so. > >Peace, >david The CIS benchmark doesn't specify /root or home directory permissions however it does say umask must be 027 or better for all users. IMO reviewing the CIS benchmark would be the first place to start. -- Pardon the typos and autocorrect, small keyboard in use. Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://www.FreeBSD.org The need of the many outweighs the greed of the few. Sent from my Android device with K-9 Mail. Please excuse my brevity.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?81E5B24A-BC03-4018-BED9-177071DE702A>