From owner-freebsd-hackers@freebsd.org Wed Jan 29 21:34:46 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C8AA11FF8BF for ; Wed, 29 Jan 2020 21:34:46 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 487GwP6yKMz4DNZ for ; Wed, 29 Jan 2020 21:34:45 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 00TLYc0Y066113; Wed, 29 Jan 2020 13:34:38 -0800 (PST) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: (from freebsd-rwg@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 00TLYce8066112; Wed, 29 Jan 2020 13:34:38 -0800 (PST) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <202001292134.00TLYce8066112@gndrsh.dnsmgr.net> Subject: Re: More secure permissions for /root and /etc/sysctl.conf In-Reply-To: <20200129092631.GA22505@lion.0xfce3.net> To: Gordon Bergling Date: Wed, 29 Jan 2020 13:34:38 -0800 (PST) CC: freebsd-hackers@freebsd.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 487GwP6yKMz4DNZ X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-rwg@gndrsh.dnsmgr.net has no SPF policy when checking 69.59.192.140) smtp.mailfrom=freebsd-rwg@gndrsh.dnsmgr.net X-Spamd-Result: default: False [0.83 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.47)[-0.469,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[dnsmgr.net]; AUTH_NA(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.36)[0.362,0]; R_SPF_NA(0.00)[]; FREEMAIL_TO(0.00)[googlemail.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(0.03)[ip: (0.13), ipnet: 69.59.192.0/19(0.07), asn: 13868(0.02), country: US(-0.05)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2020 21:34:46 -0000 > Hi, > > I recently stumbled upon the default world readable permissons of /root and > /etc/sysctl.conf. I think that it would be more secure to reduce the default > permission for /root to 0700 and to 0600 for /etc/sysctl.conf. Those values are over kill, you really want to stop group wheel from reading these? At most they should be 0750 and 0640, and even that seems overboard. If your stroring highly secure stuff in /root your probably doing some thing wrong anyway. This appears to be security through obscurity based conservatism with no given attack vector of some form. Others have made good points as well. This also appears to be changing a default that would lead to many people unchanging it simply so a few that do change it can impose there defaults. > > I prepared a differtial for the proposed change: > https://reviews.freebsd.org/D23392 > > What do you think? Bad idea? > > Best regards, > > Gordon > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > -- Rod Grimes rgrimes@freebsd.org