Date: Wed, 29 Jan 2020 07:50:57 -0800 From: Cy Schubert <Cy.Schubert@cschubert.com> To: hackers@freebsd.org, David Wolfskill <david@catwhisker.org>, Gordon Bergling <gbergling@googlemail.com>, Wojciech Puchar <wojtek@puchar.net> Cc: freebsd-hackers@freebsd.org Subject: Re: More secure permissions for /root and /etc/sysctl.conf Message-ID: <81E5B24A-BC03-4018-BED9-177071DE702A@cschubert.com> In-Reply-To: <20200129120434.GM1270@albert.catwhisker.org> References: <20200129120434.GM1270@albert.catwhisker.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On January 29, 2020 4:04:34 AM PST, David Wolfskill <david@catwhisker=2Eorg= > wrote: >On Wed, Jan 29, 2020 at 10:26:31AM +0100, Gordon Bergling via >freebsd-hackers wrote: >> Hi, >>=20 >> I recently stumbled upon the default world readable permissons of >/root and=20 >> /etc/sysctl=2Econf=2E I think that it would be more secure to reduce th= e >default >> permission for /root to 0700 and to 0600 for /etc/sysctl=2Econf=2E >>=20 >> I prepared a differtial for the proposed change: >> https://reviews=2Efreebsd=2Eorg/D23392 >>=20 >> What do you think? >>=20 >> Best regards, >>=20 >> Gordon >> =2E=2E=2E > >On Wed, Jan 29, 2020 at 12:41:30PM +0100, Wojciech Puchar wrote: >> =2E=2E=2E >> fully agree=2E i do it manually every time i build new system to create >> tarfiles >> =2E=2E=2E=2E > >For counterpoint, as well as a reminder of the "tools, not policy" >catchphrase, I disagree, as I believe that doing so would increase the >frequency of a need to escalate privilege merely to read (e=2Eg=2E) >configuration information that is not particularly "secret=2E" > >For example, I have encountered systems where the administrator had >/etc/rc=2Econf not-world-readable; I was needing to obtain root privilege >way too often just to read the file=2E=2E=2E thus, for merely testing a n= ew >rc=2Ed script (in a mode where it would merely report what it would have >otherwise done)=2E I submit that this does rather the opposite of >"enhancing" security=2E > >I have no objection to providing a knob to adjust such a thing for a >local configuration, and folks who want it can select it, while those >who don't, need not do so=2E > >Peace, >david The CIS benchmark doesn't specify /root or home directory permissions how= ever it does say umask must be 027 or better for all users=2E IMO reviewing the CIS benchmark would be the first place to start=2E --=20 Pardon the typos and autocorrect, small keyboard in use=2E=20 Cy Schubert <Cy=2ESchubert@cschubert=2Ecom> FreeBSD UNIX: <cy@FreeBSD=2Eorg> Web: https://www=2EFreeBSD=2Eorg The need of the many outweighs the greed of the few=2E Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?81E5B24A-BC03-4018-BED9-177071DE702A>